Here are the queries currently available:
- AWS IAM Customer-Managed Policy Attachment to Existing Roles (ES|QL)
- AWS IAM Unusual AWS Access Key Usage for User (ES|QL)
- EC2 Modify Instance Attribute User Data (ES|QL)
- EC2 Suspicious Get User Password Request (ES|QL)
- High EC2 Instance Deployment Count Attempts by Single User or Role (ES|QL)
- High Frequency of EC2 Multi-Region
DescribeInstancesAPI Calls (ES|QL) - High Frequency of Service Quotas Multi-Region
GetServiceQuotaAPI Calls (ES|QL) - IAM Assume Role Creation with Attached Policy (ES|QL)
- IAM User Activity with No MFA Session (ES|QL)
- Lambda Add Permissions for Write Actions to Function (ES|QL)
- Multiple Service Logging Deleted or Stopped (ES|QL)
- S3 Public Bucket Rapid Object Access Attempts (ES|QL)
- SSM Rare SendCommand Code Execution by EC2 Instance (ES|QL)
- SSM SendCommand API Used by EC2 Instance (ES|QL)
- SSM Start Remote Session to EC2 Instance (ES|QL)
- STS Suspicious Federated Temporary Credential Request (ES|QL)
- Secrets Manager High Frequency of Programmatic GetSecretValue API Calls (ES|QL)
- Signin Single Factor Console Login via Federated Session (ES|QL)
- User Creation with Administrator Policy Assigned (ES|QL)
- Defense Evasion via Capitalized Process Execution (ES|QL)
- Drivers Load with Low Occurrence Frequency (ES|QL)
- Excessive SSH Network Activity to Unique Destinations (ES|QL)
- Git Hook/Pager Persistence (ES|QL)
- Hidden Process Execution (ES|QL)
- Logon Activity by Source IP (ES|QL)
- Low Volume External Network Connections from Process by Unique Agent (ES|QL)
- Low Volume GTFOBins External Network Connections (ES|QL)
- Low Volume Modifications to Critical System Binaries by Unique Host (ES|QL)
- Low Volume Process Injection-Related Syscalls by Process Executable (ES|QL)
- Network Connections with Low Occurrence Frequency for Unique Agent ID (ES|QL)
- OSQuery SUID Hunting (ES|QL)
- Persistence Through Reverse/Bind Shells (ES|QL)
- Persistence via Cron (ES|QL)
- Persistence via DPKG/RPM Package (ES|QL)
- Persistence via Docker Container (ES|QL)
- Persistence via Dynamic Linker Hijacking (ES|QL)
- Persistence via Loadable Kernel Modules (ES|QL)
- Persistence via Message-of-the-Day (ES|QL)
- Persistence via Package Manager (ES|QL)
- Persistence via Pluggable Authentication Modules (PAM) (ES|QL)
- Persistence via SSH Configurations and/or Keys (ES|QL)
- Persistence via System V Init (ES|QL)
- Persistence via Systemd (Timers) (ES|QL)
- Persistence via Udev (ES|QL)
- Persistence via Web Shell (ES|QL)
- Persistence via rc.local/rc.common (ES|QL)
- Potential Defense Evasion via Multi-Dot Process Execution (ES|QL)
- Privilege Escalation Identification via Existing Sudoers File (ES|QL)
- Privilege Escalation/Persistence via User/Group Creation and/or Modification (ES|QL)
- Process Capability Hunting (ES|QL)
- Segmentation Fault & Potential Buffer Overflow Hunting (ES|QL)
- Shell Modification Persistence (ES|QL)
- Uncommon Process Execution from Suspicious Directory (ES|QL)
- Unusual File Downloads from Source Addresses (ES|QL)
- Unusual System Binary Parent (Potential System Binary Hijacking Attempt) (ES|QL)
- XDG Persistence (ES|QL)
- AWS Bedrock LLM Denial-of-Service or Resource Exhaustion (ES|QL)
- AWS Bedrock LLM Ignore Previous Prompt Detection (ES|QL)
- AWS Bedrock LLM Latency Anomalies (ES|QL)
- AWS Bedrock LLM Sensitive Content Refusals (ES|QL)
- Low Occurrence of Suspicious Launch Agent or Launch Daemon (ES|QL)
- Suspicious Network Connections by Unsigned Mach-O (ES|QL)
- Failed OAuth Access Token Retrieval via Public Client App (ES|QL)
- Identify High Average of Failed Daily Authentication Attempts (ES|QL)
- Multi-Factor Authentication (MFA) Push Notification Bombing (ES|QL)
- Multiple Application SSO Authentication from the Same Source (ES|QL)
- OAuth Access Token Granted for Public Client App from Multiple Client Addresses (ES|QL)
- Password Spraying from Repeat Source (ES|QL)
- Rapid MFA Deny Push Notifications (MFA Bombing) (ES|QL)
- Rapid Reset Password Requests for Different Users (ES|QL)
- Rare Occurrence of Domain with User Authentication Events (ES|QL)
- Rare Occurrence of OAuth Access Token Granted to Public Client App (ES|QL)
- Successful Impossible Travel Sign-On Events (ES|QL)
- DLL Hijack via Masquerading as Microsoft Native Libraries (ES|QL)
- DNS Queries via LOLBins with Low Occurence Frequency (ES|QL)
- Egress Network Connections with Total Bytes Greater than Threshold (ES|QL)
- Excessive RDP Network Activity by Host and User (ES|QL)
- Excessive SMB Network Activity by Process ID (ES|QL)
- Executable File Creation by an Unusual Microsoft Binary (ES|QL)
- Execution via Remote Services by Client Address (ES|QL)
- Frequency of Process Execution via Network Logon by Source Address (ES|QL)
- High Count of Network Connection Over Extended Period by Process (ES|QL)
- Libraries Loaded by svchost with Low Occurrence Frequency (ES|QL)
- Low Frequency of Process Execution via WMI by Unique Agent (ES|QL)
- Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent (ES|QL)
- Low Occurence of Process Execution via Windows Services with Unique Agent (ES|QL)
- Low Occurrence Rate of CreateRemoteThread by Source Process (ES|QL)
- Low Occurrence of Drivers Loaded on Unique Hosts (ES|QL)
- Masquerading Attempts as Native Windows Binaries (ES|QL)
- Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent (ES|QL)
- Network Discovery via Sensitive Ports by Unusual Process (ES|QL)
- PE File Transfer via SMB_Admin Shares by Agent or User (ES|QL)
- Persistence via Run Key with Low Occurrence Frequency (ES|QL)
- Persistence via Startup with Low Occurrence Frequency by Unique Host (ES|QL)
- Rare DLL Side-Loading by Occurrence (ES|QL)
- Rare LSASS Process Access Attempts (ES|QL)
- Rundll32 Execution Aggregated by Command Line (ES|QL)
- Scheduled Tasks Creation for Unique Hosts by Task Command (ES|QL)
- Scheduled tasks Creation by Action via Registry (ES|QL)
- Startup Execution with Low Occurrence Frequency by Unique Host (ES|QL)
- Suspicious Base64 Encoded Powershell Command (ES|QL)
- Suspicious DNS TXT Record Lookups by Process (ES|QL)
- Unique Windows Services Creation by Service File Name (ES|QL)
- Windows Command and Scripting Interpreter from Unusual Parent Process (ES|QL)
- Windows Logon Activity by Source IP (ES|QL)