This is a follow-up to Will Any of This Fire?. That post introduced the method: decompose a threat report into behaviors, run each behavior up the ladder from technique tag to predicate leaf to structural pivot. This post runs the same method in rapid succession across six threat reports as a drill, covering multi-operator queries and operators not covered in the first post: kind:, with:, field:, correlation:, and excludes:.
Many thanks to the analysts at The DFIR Report for their work.
The field operator earns its keep
Atera RMM was installed as a service during the RansomHub intrusion. The field: operator anchors a value to a specific predicate field. This query searches for Atera as a ServiceName predicate using a contains match:field:ServiceName value:atera kind:contains3 results |
Identifies the use of Cloudflare Tunnel (cloudflared) to expose a local service or create an outbound tunnel. Adversaries may abuse quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy C2 traffic or exfiltrate data through Cloudflare's edge while evading direct connection blocking.
Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.
T1567 Exfiltration Over Web ServiceT1572 Protocol Tunneling
Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
T1187 Forced AuthenticationT1550 Use Alternate Authentication MaterialT1557.001 Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay
Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed Kerberos authentication material for the server's computer account to execute code on behalf of the compromised system.
T1187 Forced AuthenticationT1557.001 Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay
Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.
This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.
NetSync allows an attacker to take the NTLM hash of a Domain Controller (DC) machine account ("usually" identified by ending in "$") and using it to obtain the NTLM machine account hash of another machine account through impersonation (similar to, but different from, DCSync). Where DCSync can obtain user account passwords, NetSync is limited to machine accounts. The other main differentiator between DCSync and NetSync is that DCSync will make use of Microsoft's Directory Replication Service (DRS...
Detects scenarios where an attacker perform a password reset event. This does not require any knowledge of a user’s current password, but it does require to have the "Reset Password" right. Correlate the event ID 4724, 4624 and 5145 using the "SubjectLogonId" field to identify the source of the reset.
Threat actors may scan for hosts with SMB ports exposed to the internet and attempt to access services. This rule detects external attempts to access SMB shares (Event IDs 5140 or 5145) following network logons (Event ID 4624, Logon Type 3) within a one minute period correlated by host and user, which may indicate a threat actor's initial access attempt via SMB.
Detects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.
T1187 Forced AuthenticationT1550 Use Alternate Authentication MaterialT1557.001 Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay
Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed Kerberos authentication material for the server's computer account to execute code on behalf of the compromised system.
T1187 Forced AuthenticationT1557.001 Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay
Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.
Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment. The lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within ...
18 stagessequencewindow: 10mevents: 4624, 4625
Privilege escalation, credential access, C2
Lunar Spider performed a UAC bypass via registry hijack of HKCU\Software\Classes\ms-settings\shell\open\command. The uses:TargetObject clause limits results to rules that inspect the registry path field specifically:value:ms-settings uses:TargetObject4 results |
T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.
T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.
T1546.001 Event Triggered Execution: Change Default File AssociationT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
T1003.001 OS Credential Dumping: LSASS MemoryT1036.003 Masquerading: Rename Legitimate UtilitiesT1218.011 System Binary Proxy Execution: Rundll32
Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.
T1003.001 OS Credential Dumping: LSASS MemoryT1003.003 OS Credential Dumping: NTDST1218.011 System Binary Proxy Execution: Rundll32
Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.
T1036.001 Masquerading: Invalid Code SignatureT1036.005 Masquerading: Match Legitimate Resource Name or LocationT1553.002 Subvert Trust Controls: Code SigningT1554 Compromise Host Software BinaryT1574.001 Hijack Execution Flow: DLL
Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs.
DNS queries for the Tor .onion TLD. This is not an IOC from any of the referenced reports, but illustrates anchoring a domain suffix to the DNS query field:field:QueryName value:.onion23 results, showing first 10 |
Run key persistence appeared in EtherRat, Lunar Spider, and KongTuke. The excludes: operator filters to rules that suppress a specific field to reduce false positives. Here it returns rules anchored on the Run key path that also allowlist on Image, which may contain allowlists worth reviewing:field:TargetObject value:*CurrentVersion\Run* excludes:Image11 results, showing first 10 |
T1112 Modify RegistryT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.
excludes: image
targetobjectwildcardHKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*targetobjectwildcardHKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\RunOnce\*targetobjectwildcardHKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run\*+3 more matching
Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.
Co-occurrence event-id; stacks (with:4624 with:4769) to require all, while a comma list in one occurrence (with:4624,4769) is an either-or group. Implies multi-event
like:
Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): like:comsvcs_lsass_memory_dump-splunk-sysmon
groupby:
Entity-grouping substring match against group_by_keys: groupby:user, groupby:host
uses:
Rules whose predicate tree touches the field (any kind, any value): uses:CommandLine
excludes:
Rules with top-level not() clauses on the field (FP whitelists): excludes:ParentImage
field: / value:
Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (value:*mimikatz*)
indicator:
Shorthand for field:F value:V: indicator:Image=*\powershell.exe
kind:
Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (vendor:elastic kind:cidr_match) and drives the indicator tier: contains / starts_with / ends_with / regex / cidr / eq / in … (operator aliases op:/match:)
Exclude matches; works on most operators but not type:/like:/has:/no: (use no:<flag> to exclude a rule flag): tactic:execution -vendor:splunk. Standalone -kind:/-field:/-value: drop every rule carrying a matching predicate leaf (type:rules -kind:is_null)
field:"…" / value:"…"
Quoted value = anchored exact match (also allows spaces): value:"net user"
a,b
Comma = OR inside one operator (vendor:sigma,elastic, severity:high,critical); repeating a facet merges the same way. field:/value: never split (literal commas)
vendors: / stage:
Singular and plural spellings fold to the canonical operator and value: tactics: = tactic:, type:event = type:events, correlation:sequences = correlation:sequence, has:thresholds = has:threshold
"quoted phrase"
Exact-match a multi-word phrase (free text)
Full operator reference, with every alias and accepted value, lives at Search and Filter Syntax.