Attack Detection API

We provide a list of ready-to-use correlation searches that are fully integrated with MITRE ATT&CK App for Splunk (v2.2.0 and above). All queries are built according to Splunk Common Information Model (if applicable) to achieve interoperability and efficiency (e.g. DM accelerations).

In order to receive an API Key for your Splunk deployment please select from the following options.

List of Available Attack Detection API Correlation Rules (47):

Name Description Technique(s) Subtechnique(s)
AttackDetection - Execution with AT - Rule In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. T1053 T1053.002
AttackDetection - Running executables with same hash and different names - Rule Executables are generally not renamed, thus a given hash of an executable should only have ever one name. T1036 T1036.003
AttackDetection - Active Directory Dumping via NTDSUtil - Rule The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. T1003 T1003.003
AttackDetection - Squiblydoo - Rule Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. T1218 T1218.010
AttackDetection - Services launching Cmd - Rule To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed. To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command T1543 T1543.003
AttackDetection - Credential Dumping via Windows Task Manager - Rule The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. T1003 T1003.001
AttackDetection - UAC Bypass - Rule Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source UACME tool. T1548 T1548.002
AttackDetection - Command Launched from WinLogon - Rule An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. T1546 T1546.008
AttackDetection - Host Discovery Commands - Rule When entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. T1087 T1069 T1016 T1082 T1033 T1057 T1007 1087.001 1087.002 1069.001 1069.002
AttackDetection - Create Remote Process via WMIC - Rule Adversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely. T1047 None
AttackDetection - Generic Regsvr32: Main Pattern - Rule Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. T1218 T1218.010
AttackDetection - Generic Regsvr32: Spawning Child Processes - Rule Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. T1218 T1218.010
AttackDetection - Powershell Execution - Rule PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. T1059 T1059.001
AttackDetection - Suspicious Arguments - Rule Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. Any tool of interest with commonly known command line usage can be detecting by command line analysis (PuTTY, port forwarding, scp, mimikatz, RAR, archive) - excluding IP address search. T1003 T1021 T1105 T1003.001
AttackDetection - Lsass Process Dump via Procdump: Process Create - Rule ProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps. ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. T1003 T1003.001
AttackDetection - User Activity from Clearing Event Logs (Security) - Rule It is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a “Clear Event Log” is generated could point to this intruder technique. T1070 T1070.001
AttackDetection - Simultaneous Logins on a Host - Rule Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. T1078 T1078.002 T1078.003
AttackDetection - Execution with schtasks - Rule Scheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution. T1053 T1053.001 T1053.002 T1053.003 T1053.004 T1053.005
AttackDetection - Quick execution of a series of suspicious commands - Rule Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing. T1087 T1003 T1069 T1057 T1021 T1543 T1112 T1574 T1018 T1569 T1053 T1029 T1033 T1007 T1082 T1049 T1016 T1010 T1518 T1046 T1562 T1098 T1059 T1012 T1087.001 T1087.002 T1003.002 T1069.001 T1069.002 T1021.002 T1543.003 T1574.011 T1569.002 T1053.002 T1053.005 T1518.001 T1562.001 T1562.006 T1059.005
AttackDetection - Reg.exe called from Command Shell - Rule The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. If it is not, the process tree might be malicious. T1012 T1112 T1547 T1574 T1547.001 T1574.011
AttackDetection - Remote PowerShell Sessions - Rule According to ATT&CK, PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe T1059 T1021 T1059.001 T1021.006
AttackDetection - User Logged in to Multiple Hosts - Rule Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of Lateral Movement. T1078 T1078.002 T1078.003
AttackDetection - Suspicious Run Locations - Rule In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. T1036 None
AttackDetection - Processes Spawning cmd.exe - Rule The Windows Command Prompt (cmd.exe) is a utility that provides a command line interface to Windows operating systems. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. T1059 T1059.003
AttackDetection - RDP Connection Detection - Rule The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. RDP can be detected in several ways. This rule detects it via the authentication events. T1021 T1021.001
AttackDetection - RunDLL32.exe monitoring - Rule Adversaries may find it necessary to use Dynamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be “executed” is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. T1218 T1218.011
AttackDetection - Successful Local Account Login - Rule Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass The Hash for lateral movement is detected with the authentication events in this rule. T1550 T1550.002
AttackDetection - Scheduled Task FileAccess - Rule In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Note: Need to add file_path field to Endpoint.Proccesses Dataset and make sure action field for EventCode=11 is properly extracted as "created". T1053 T1053.005
AttackDetection - Compiled HTML Access - Rule Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic. T1218 T1218.001
AttackDetection - Network Share Connection Removal - Rule Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event. T1070 T1070.005
AttackDetection - Local Network Sniffing - Rule Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. T1040 None
AttackDetection - DLL Injection with Mavinject - Rule The ways of injecting a malicious DLL into a process are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. T1055 T1055.001
AttackDetection - MSBuild and msxsl - Rule Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe and msxsl.exe. T1127 T1127.001
AttackDetection - Component Object Model Hijacking - Rule Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. T1546 T1546.015
AttackDetection - CMSTP - Rule CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP. T1218 T1218.003
AttackDetection - Registry Edit from Screensaver - Rule Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs. T1546 T1546.002
AttackDetection - Credentials in Files & Registry - Rule Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as “password”. T1552 T1552.001 T1552.002
AttackDetection - AppInit DLLs - Rule Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. T1546 T1546.010
AttackDetection - Clear Powershell Console Command History - Rule Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. T1070 T1070.003
AttackDetection - Indicator Blocking - Driver Unloaded - Rule Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. T1562 T1562.006
AttackDetection - Processes Started From Irregular Parent - Rule Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. T1068 None
AttackDetection - Local Permission Group Discovery - Rule Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives. T1069 T1069.001 T1069.002
AttackDetection - Unusual Child Process for Spoolsv.Exe or Connhost.Exe - Rule A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity. T1068 None
AttackDetection - Unusual Child Process spawned using DDE exploit - Rule Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. This analytic looks for unusually spawned child process. T1559 T1559.002
AttackDetection - Webshell-Indicative Process Tree - Rule A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. T1505 T1505.003
AttackDetection - Detecting Tampering of Windows Defender Command Prompt - Rule In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. T1562 T1562.001
AttackDetection - Identifying Port Scanning Activity - Rule After compromising an initial machine, adversaries commonly attempt to laterally move across the network. The first step to attempt the lateral movement often involves conducting host identification, port and service scans on the internal network via the compromised machine using tools such as Nmap, Cobalt Strike, etc. T1046 None

Community
Free

Basic for security teams.

  • 25 correlation searches for MITRE ATT&CK App for Splunk
  • Limited to corporate email addresses only
Subscribe
Standard
$225 / year

Enabling proactive security response with updated rules

  • New correlation searches are added weekly
  • Access to all available correlation searches for MITRE ATT&CK App for Splunk
  • Remote support (issues & hot-fixes) for MITRE ATT&CK App for Splunk
Subscribe