EDR

52 queries en esta categoría

K
12 queries in EDR
PAID

Pass-the-Hash / Overpass-the-Hash

Detects Pass-the-Hash techniques via sekurlsa, pth-winexe, Rubeus, or similar tools that abuse NTLM hashes for authentication.

#event_simpleName=ProcessRollup2 CommandLine=/(sekurlsa|pth-winexe|Invoke-SMBExec|Invoke-TheHash|Invoke-WMIExec|Overpass-the-Hash|rubeus.*ptt|rubeus.*asktgt)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | sort(_count, limit=20)
EDRsofisticlateral-movement
Advanced
PAID

PowerShell Download Cradle

Detects PowerShell downloading payloads via IEX, Invoke-WebRequest, Net.WebClient, or similar download cradle patterns.

#event_simpleName=ProcessRollup2 FileName=/(powershell|pwsh)\.exe/i CommandLine=/(IEX|Invoke-Expression|Net\.WebClient|DownloadString|DownloadFile|Invoke-WebRequest|Start-BitsTransfer|wget\s|curl\s)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 2 | sort(_count, limit=20)
EDRsofisticexecution
Intermediate
PAID

PowerShell Encoded Commands

Detects PowerShell execution with Base64-encoded commands (-enc, -encodedcommand) commonly used to evade AV/EDR detection.

#event_simpleName=ProcessRollup2 FileName=/(powershell|pwsh)\.exe/i CommandLine=/(\-enc|\-encodedcommand|\-e\s)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 5 | sort(_count, limit=20)
EDRsofisticexecution
Intermediate
PAID

Process Injection Indicators

Detects process injection techniques and tools via command-line indicators (OpenProcess, WriteProcessMemory, CreateRemoteThread).

#event_simpleName=ProcessRollup2 CommandLine=/(Invoke-ReflectivePEInjection|Inject-Shellcode|VirtualAllocEx|WriteProcessMemory|CreateRemoteThread|NtMapViewOfSection|QueueUserAPC)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | sort(_count, limit=20)
EDRsofisticdefense-evasion
Advanced
PAID

PsExec / Remote Service Execution

Detects PsExec and similar remote service execution tools used for lateral movement across Windows environments.

#event_simpleName=ProcessRollup2 FileName=/(psexec|psexesvc|paexec|remcom|csexec)\.exe/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 3 | sort(_count, limit=20)
EDRsofisticlateral-movement
Intermediate
PAID

RDP Lateral Movement Burst

Detects multiple RDP sessions (logon type 10) from the same user to different hosts in a short window — lateral movement indicator.

#event_simpleName=UserLogon LogonType=10 | groupBy([UserName], function=[count(), collect([ComputerName])]) | _count > 5 | sort(_count, limit=20)
EDRsofisticlateral-movement
Intermediate
PAID

Script Execution from Temp/Downloads

Detects scripts executed from temporary or downloads directories — a common staging area for malicious payloads.

#event_simpleName=ProcessRollup2 FileName=/(powershell|cmd|wscript|cscript|mshta)\.exe/i CommandLine=/(\\Temp\\|\\tmp\\|\\Downloads\\|\\AppData\\Local\\Temp)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 5 | sort(_count, limit=20)
EDRsofisticexecution
Intermediate
PAID

Security Tool Tampering

Detects attempts to disable Windows Defender, the firewall, or security services — often a pre-ransomware or persistence step.

#event_simpleName=ProcessRollup2 CommandLine=/(Set-MpPreference.*DisableRealtimeMonitoring.*True|DisableBehaviorMonitoring.*True|net\s+stop\s+.*(MpsSvc|WinDefend|Sense|wscsvc)|sc\s+(stop|config|delete)\s+.*(WinDefend|Sense|MpsSvc))/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | sort(_count, limit=20)
EDRsofisticdefense-evasion
Advanced
PAID

Suspicious DLL Loading from Temp Dirs

Detects DLLs loaded from temporary or downloads directories — indicative of DLL side-loading or dropped payload execution.

#event_simpleName=ClassifiedModuleLoad ImageFileName=/(\\Temp\\|\\tmp\\|\\Downloads\\|\\AppData\\Local\\Temp\\|\\Public\\)/i | groupBy([ComputerName, ImageFileName], function=count()) | _count > 5 | sort(_count, limit=20)
EDRsofisticdefense-evasion
Intermediate
PAID

Suspicious LOLBin Execution

Detects LOLBin executions with suspicious arguments (download, encode, decode, execute) used for defense evasion.

#event_simpleName=ProcessRollup2 FileName=/(mshta|regsvr32|certutil|rundll32|cscript|wscript|msiexec)\.exe/i CommandLine=/(http|download|encode|decode|bypass|hidden|invoke|iex)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 5 | sort(_count, limit=20)
EDRsofisticexecution
Intermediate
FREE

Timestomping Detection

Detects file timestamp manipulation (timestomping) used as an anti-forensics technique to conceal malicious activity.

#event_simpleName=ProcessRollup2 CommandLine=/(timestomp|Set\-ItemProperty.*LastWriteTime|touch\s)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 3 | sort(_count, limit=20)
EDRsofisticdefense-evasion
Beginner
PAID

WMI Remote Execution

Detects remote execution via WMI (wmic process call create, Invoke-WmiMethod) — a fileless lateral movement technique.

#event_simpleName=ProcessRollup2 FileName=/(wmic|wmiprvse)\.exe/i CommandLine=/(process\s+call\s+create|Invoke-WmiMethod|Invoke-CimMethod|node:)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 2 | sort(_count, limit=20)
EDRsofisticlateral-movement
Intermediate