Security Onion Hub

Deployment guides, query library, and SOC component reference

28 queries across 7 categories

Credential Access

T10035 queries

LSASS Memory Access

Detects processes attempting to access LSASS memory for credential theft.

event.module: "sysmon" AND event.dataset:"create_remote_thread" AND message:"*lsass.exe"

LSASS Target Image

Alternative detection for LSASS credential dumping via target image.

event.module: "sysmon" AND event.dataset:"create_remote_thread" AND winlog.event_data.targetImage:"*lsass.exe"

Mimikatz Detection

Direct Mimikatz process execution detection.

process.name: "mimikatz.exe" OR process.command_line: "*sekurlsa*"

SAM Registry Hive Access

Detects attempts to save SAM/SYSTEM registry hives for offline credential extraction.

process.command_line: "*reg save*HKLM\SAM*" OR process.command_line: "*reg save*HKLM\SYSTEM*"

DCSync Detection

Detects DCSync attacks used to replicate Active Directory credentials.

event.code: 4662 AND winlog.event_data.Properties: "*Replicating Directory Changes*"

Lateral Movement

T10216 queries

WMI Process Execution

Detects processes spawned by WMI, common in lateral movement.

event.module: "sysmon" AND process.parent.executable:"WmiPrvSE.exe"

WinRM Access

Network detection of WinRM lateral movement attempts.

rule.name: "ET POLICY WinRM wsman Access - Possible Lateral Movement"

NTLM Authentication

Monitors NTLM authentication events for pass-the-hash attacks.

event.dataset.keyword: ntlm

SMB File Transfer

Detects executable files being transferred over SMB.

rule.name: "ET POLICY SMB Executable File Transfer"

PsExec Detection

Detects PsExec service execution on remote hosts.

process.name: "PSEXESVC.exe" OR process.parent.name: "PSEXESVC.exe"

RDP Lateral Movement

Monitors RDP logon events that may indicate lateral movement.

event.code: 4624 AND winlog.event_data.LogonType: "10"

Command & Control

T10715 queries

CobaltStrike Beacon Pattern

Identifies potential CobaltStrike C2 beaconing patterns.

server.packets >8 AND server.packets <12

Executable MIME Transfer

Detects executable files being downloaded over the network.

file.mime_type.keyword: application/x-dosexec

DCERPC Service Control

Detects remote service control manager access via DCERPC.

rule.name: "ET RPC DCERPC SVCCTL - Remote Service Control Manager Access"

DNS Tunneling Detection

Detects unusually long DNS queries that may indicate DNS tunneling for C2.

dns.query.name.keyword: /[a-z0-9]{30,}/ AND dns.query.type_name: "TXT"

Beaconing Interval Analysis

Identifies low-bandwidth periodic connections typical of C2 beacons.

network.protocol: "tls" AND server.bytes < 500 AND client.bytes < 500

Process Injection

T10553 queries

PowerShell Injection Source

Detects PowerShell as a source of process injection.

winlog.event_data.sourceImage:"powershell.exe"

Rundll32 Injection

Detects rundll32 being used for process injection.

winlog.event_data.sourceImage:"rundll32.exe"

Remote Thread to System Process

Detects remote thread creation targeting critical system processes.

event.code: 8 AND winlog.event_data.TargetImage: ("*svchost.exe" OR "*explorer.exe" OR "*csrss.exe")

Discovery

T10464 queries

DNS Query Analysis

Broad DNS query monitoring for reconnaissance detection.

dns.query.name.keyword:* AND dns.query.type_name.keyword: A

SMB File Enumeration

Monitors SMB file access for network share enumeration.

event.dataset.keyword: smb_files

Port Scan Detection

Detects network port scanning activity.

rule.name: "ET SCAN Potential VNC Scan" OR rule.name: "ET SCAN Nmap"

Active Directory Enumeration

Detects AD enumeration using net.exe commands.

process.name: "net.exe" AND process.command_line: ("*group*" OR "*user*" OR "*domain*")

Persistence

T15473 queries

Registry Run Key Modification

Detects modifications to registry Run keys used for persistence.

event.code: 13 AND registry.path: "*\CurrentVersion\Run*"

Scheduled Task Creation

Monitors scheduled task creation for persistence mechanisms.

event.code: 4698 OR (process.name: "schtasks.exe" AND process.command_line: "*create*")

Service Installation

Detects new service installations that may indicate persistence.

event.code: 7045 OR event.code: 4697

Exfiltration

T10412 queries

Large Outbound Transfer

Detects large outbound data transfers to external IPs.

client.bytes > 10000000 AND NOT destination.ip: "10.0.0.0/8"

DNS Exfiltration

Detects unusually long DNS queries that may encode exfiltrated data.

dns.query.name.keyword: /[a-z0-9]{50,}/