index.md

List of Available Queries

Here are the queries currently available:

linux

• Network Connections with Low Occurrence Frequency for Unique Agent ID (ES|QL)
• Unusual File Downloads from Source Addresses (ES|QL)
• Defense Evasion via Capitalized Process Execution (ES|QL)
• Hidden Process Execution (ES|QL)
• Potential Defense Evasion via Multi-Dot Process Execution (ES|QL)
• Excessive SSH Network Activity to Unique Destinations (ES|QL)
• Uncommon Process Execution from Suspicious Directory (ES|QL)
• Logon Activity by Source IP (ES|QL)
• Low Volume External Network Connections from Process by Unique Agent (ES|QL)
• Low Volume GTFOBins External Network Connections (ES|QL)
• Low Volume Modifications to Critical System Binaries by Unique Host (ES|QL)
• Low Volume Process Injection-Related Syscalls by Process Executable (ES|QL)
• Persistence Through Reverse/Bind Shells (SQL)
• Persistence via Cron (ES|QL, SQL)
• Drivers Load with Low Occurrence Frequency (ES|QL)
• Git Hook/Pager Persistence (ES|QL, SQL)
• Persistence via Message-of-the-Day (ES|QL, SQL)
• Persistence via Package Manager (ES|QL, SQL)
• Persistence via rc.local/rc.common (ES|QL, SQL)
• Shell Modification Persistence (ES|QL, SQL)
• Persistence via SSH Configurations and/or Keys (SQL)
• Persistence via Systemd (Timers) (ES|QL, SQL)
• Persistence via System V Init (ES|QL, SQL)
• Persistence via Udev (ES|QL, SQL)
• Unusual System Binary Parent (Potential System Binary Hijacking Attempt) (ES|QL)
• Privilege Escalation/Persistence via User/Group Creation and/or Modification (SQL)
• XDG Persistence (ES|QL, SQL)
• Privilege Escalation Identification via Existing Sudoers File (SQL)
• Process Capability Hunting (ES|QL)
• Segmentation Fault & Potential Buffer Overflow Hunting (ES|QL)
• OSQuery SUID Hunting (SQL)

llm

• AWS Bedrock LLM Denial-of-Service or Resource Exhaustion (ES|QL)
• AWS Bedrock LLM Latency Anomalies (ES|QL)
• AWS Bedrock LLM Sensitive Content Refusals (ES|QL)

macos

• Low Occurrence of Suspicious Launch Agent or Launch Daemon (ES|QL)
• Suspicious Network Connections by Unsigned Mach-O (ES|QL)

windows

• Low Occurrence Rate of CreateRemoteThread by Source Process (ES|QL)
• DLL Hijack via Masquerading as Microsoft Native Libraries (ES|QL)
• Masquerading Attempts as Native Windows Binaries (ES|QL)
• Rare DLL Side-Loading by Occurrence (ES|QL)
• Rare LSASS Process Access Attempts (ES|QL)
• DNS Queries via LOLBins with Low Occurence Frequency (ES|QL)
• Low Occurrence of Drivers Loaded on Unique Hosts (ES|QL)
• Excessive RDP Network Activity by Host and User (ES|QL)
• Excessive SMB Network Activity by Process ID (ES|QL)
• Executable File Creation by an Unusual Microsoft Binary (ES|QL)
• Frequency of Process Execution via Network Logon by Source Address (ES|QL)
• Execution via Remote Services by Client Address (ES|QL)
• Startup Execution with Low Occurrence Frequency by Unique Host (ES|QL)
• Low Frequency of Process Execution via WMI by Unique Agent (ES|QL)
• Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent (ES|QL)
• Low Occurence of Process Execution via Windows Services with Unique Agent (ES|QL)
• High Count of Network Connection Over Extended Period by Process (ES|QL)
• Libraries Loaded by svchost with Low Occurrence Frequency (ES|QL)
• Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent (ES|QL)
• Network Discovery via Sensitive Ports by Unusual Process (ES|QL)
• PE File Transfer via SMB_Admin Shares by Agent or User (ES|QL)
• Persistence via Run Key with Low Occurrence Frequency (ES|QL)
• Persistence via Startup with Low Occurrence Frequency by Unique Host (ES|QL)
• Egress Network Connections with Total Bytes Greater than Threshold (ES|QL)
• Rundll32 Execution Aggregated by Command Line (ES|QL)
• Scheduled tasks Creation by Action via Registry (ES|QL)
• Scheduled Tasks Creation for Unique Hosts by Task Command (ES|QL)
• Suspicious Base64 Encoded Powershell Command (ES|QL)
• Suspicious DNS TXT Record Lookups by Process (ES|QL)
• Unique Windows Services Creation by Service File Name (ES|QL)
• Windows Command and Scripting Interpreter from Unusual Parent Process (ES|QL)
• Windows Logon Activity by Source IP (ES|QL)