Determines DeviceId from internal IP address and outputs all alerts in events table associated to the DeviceId. Example use case is Firewall determines Internal IP with suspicious network activity. Qu
One of the challenges in making an AppLocker policy is knowing where applications launch from. This query normalizes process launch paths through aliasing, then counts the number of processes launche
Baseline Comparison. Author: miflower. The purpose of this query is to perform a comparison between "known good" machines and suspected bad machines. The original concept for this query was born due t
This query identifies crashing processes based on parameters passed to werfault.exe and attempts to find the associated process launch from DeviceProcessEvents.
This query is a function that consumes the publicly available Azure IP address list and checks a list of remote IP addresses against it to see if they are Azure IP addresses or not. To use this, repla
This query will count the number of devices in Defender ATP based on their DNS suffix. For a full list of devices with the DNS suffix, comment out or remove the last line.
This query calculates device uptime based on periodic DeviceInfo which is recorded every 15 minutes regardless of device's network connectivity and uploaded once device gets online. If its interval is
Did you know you can use Emojis in Windows?. Read more here: https://davidzych.com/abusing-emoji-in-windows. Check-out who in your organization has renamed his or her computer to a Pizza or to a smili
This query will provide a report of many of the best practice configurations for Defender ATP deployment. Special Thanks to Gilad Mittelman for the initial inspiration and concept. Any tests which are
This query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event
This query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event
This query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event
This query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event
Sample query to detect If there are more then 3 failed logon authentications on high value assets. Update DeviceName to reflect your high value assets. For questions @MiladMSFT on Twitter or milad.asl
Query #1 - Find the machines on which this file was seen. TODO - set file hash to be a SHA1 hash of your choice...
Query #1 - Find the machines on which this file was seen. TODO - set file hash to be a SHA1 hash of your choice...
This query helps you design client firewall rules based on data stored within DeviceNetworkEvents. Folder paths are alias'ed to help represent the files making or receiving network connections without
This is a completely stupid and pointless query that makes Vogon poetry out of a random FolderPath from the table you pass it. You can change DeviceProcessEvents for any table as long as it has a col
Hunt package for 2 IOCs associated with Kimwolf
Hunt package for 37 IOCs associated with ClearFake
Hunt package for 90 IOCs associated with Unknown malware
Hunt package for 2 IOCs associated with AdaptixC2
Hunt package for 9 IOCs associated with AsyncRAT
Hunt package for 30 IOCs associated with Cobalt Strike
Hunt package for 4 IOCs associated with Remcos
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels
Hunt package for 7 IOCs associated with VShell
Hunt package for 18 malicious URLs tagged as 32-bit
Hunt package for 15 malicious URLs tagged as adb
Hunt package for 2 malicious URLs tagged as amos
Hunt package for 4 malicious URLs tagged as c2-monitor-auto
Hunt package for 10 malicious URLs tagged as ClearFake
Hunt package for 3 malicious URLs tagged as DDoSAgent
Hunt package for 19 malicious URLs tagged as elf
Hunt package for 2 malicious URLs tagged as loader
Hunt package for 25 malicious URLs tagged as malware_download
This query was originally published in the threat analytics report, WinRAR CVE-2018-20250 exploit WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that
This query was originally published in the threat analytics report, WinRAR CVE-2018-20250 exploit WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
The following query look for suspicious behaviors observed by the samples analyzed in the report.
Identifies native processes or binaries in writable paths loading .NET runtimes. This suggests in-memory code injection and ETW patching used by malware to execute code while evading detection by secu
This query looks for anomalies in mail item access events made by Graph API. It uses standard deviation to determine if the number of events is anomalous. The query returns all clientIDs where the amo
Anthem Hack Deep Panda - htran-exe
Anthem Hack Deep Panda - lot1.tmp-pwdump
Anthem Hack Deep Panda - ScanLine sl-txt-packed
Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll
YARA rule: APT_DeputyDog
YARA rule: APT_DeputyDog_Fexel
YARA rule: APT_Derusbi_DeepPanda
YARA rule: APT_Derusbi_Gen
Rule to detect Duqu 2.0 drivers
The YARA rule 'apt_duqu2_loaders' detects Duqu 2.0 malware samples
YARA rule: apt_nix_elf_derusbi
YARA rule: apt_nix_elf_derusbi_kernelModule
YARA rule: apt_nix_elf_Derusbi_Linux_SharedMemCreation
YARA rule: apt_nix_elf_Derusbi_Linux_Strings
YARA rule: apt_win_exe_trojan_derusbi
YARA rule: apt_win32_dll_bergard_pgv_pvid_variant
Looks for accounts that uploaded multiple code repositories to external web domain.
Assuming that you have a machine that is properly BitLocker'ed, then the machine will need to be running to extract the SAM and SYSTEM files. This first query looks for any access to the HKLM that hap
The following query surface network activity associated with exploitation of CVE-2022-22965.
Check all created files. That does not have extension ps1, bat or cmd to avoid IT Pro scripts. That are not copied to C:\ to detect all file share, external drive, data partition that are not allowed,
This query can be used to detect instances of a malicious insider creating a file archive and then emailing that archive to an external "competitor" organization.
This query can be used to explore any instances where a terminated individual (i.e. one who has an impending termination date but has not left the company) downloads a large number of files from a non
This query can be used to detect instances of malicious users who attempt to create steganographic images and then immediately browse to a webmail URL. This query would require additional investigati
Identify service hollowing and persistence setting
File manipulation actions associated with CRASHOVERRIDE wiper
Registry Wiper functionality assoicated with CRASHOVERRIDE
The query checks process command lines arguments and parent/child combinations to find machines where there have been. Attempts to exploit the Protocol Handler Vulnerability of Electron framework CVE-
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Adv
This query checks for specific processes and domain TLD used in the CVE-2018-4878 flash 0day exploit attack reported by KrCERT. CVE: CVE-2018-4878. Read more here:. Https://www.krcert.or.kr/data/secNo
Identifies application role assignments to service principals granting high-risk permissions such as Mail.ReadWrite, Directory.ReadWrite.All, or RoleManagement.ReadWrite.Directory, which provide tenan
Identifies the user who acted on a reported phishing message and compares that actor with the original recipient, helping investigate delegate or shared mailbox reporting scenarios.
The query checks process command lines arguments and parent/child combinations to find machines where there have been. Attempts to exploit a DHCP remote code command injection CVE-2018-1111. DynoRoot
The MailItemsAccessed action is part of the new Advanced Audit functionality of Microsoft Defender XDR. It's part of Exchange mailbox auditing and is enabled by default for users that have an Office 3
Action "PnpDeviceConnected" reports the connection of any plug and play device. Read more online on event 6416: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-6416. Query
Action "PnpDeviceConnected" reports the connection of any plug and play device. Read more online on event 6416: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-6416. Query
This hunting query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection
This query helps you review all OAuth applications accessing user mail via Graph. It could return a significant number of results depending on how many applications are deployed in the environment.
As described in previous guidance, Nobelium may re-purpose legitimate existing OAuth Applications in the environment to their own ends. However, malicious activity patterns may be discernable from le
Use this query to review OAuth applications whose behaviour has changed as compared to a prior baseline period. The following query returns OAuth Applications accessing user mail via Graph that did no
One common technique leveraged by attackers is using archiving applications to package up files for exfiltration. In many cases, these archives are usually protected with a password to make analysis m
This query searches for file copies which occur within a period of time (by default 15 min) to volumes other than the C drive or UNC shares. By default, this query will search all devices. A single de
First query digs in print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files or ones that don't have any relations to printers that
First query digs in print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files or ones that don't have any relations to printers that
Identifies permanent directory role assignments to privileged roles made outside the Privileged Identity Management activation workflow. Direct assignments bypass PIM approval and justification requir
Designed to catch loader observed used with ROKRAT malware
Designed to catch loader observed used with ROKRAT malware
Identifies service principal credential additions or updates by actors with no history of this operation in the preceding 90 days. A new actor outside the established baseline may indicate credential
//Check for network connections with SolarWInds IP's based on DeviceNetworkEvents## Query
Look for the spoolsv.exe launching rundll32.exe with an empty command line
Look for the creation of suspicious DLL files spawned in the \spool\ folder along with DLLs that were recently loaded afterwards from \Old.
Monitor for creation of suspicious files in the /spools/driver/ folder. This is a broad-based search that will surface any creation or modification of files in the folder targeted by this exploit. Fal
Surfaces suspicious spoolsv.exe behavior likely related to CVE-2021-1675
The query checks for suspicious Tomcat process launches associated with likely exploitation of Confluence - CVE-2022-26134 Read more here:. https://confluence.atlassian.com/doc/confluence-security-adv
Hunt package for 2 IOCs associated with Antidot
Hunt package for 13 IOCs associated with Kimwolf
Hunt package for 3 IOCs associated with Mozi
Hunt package for 2 IOCs associated with PerlBot
Hunt package for 3 IOCs associated with RedTail
Hunt package for 4 IOCs associated with XMRIG
Hunt package for 64 IOCs associated with ClearFake
Hunt package for 8 IOCs associated with KongTuke
Hunt package for 23 IOCs associated with Unknown malware
Hunt package for 2 IOCs associated with Unknown Loader
Hunt package for 2 IOCs associated with Unknown Stealer
Hunt package for 10 IOCs associated with AdaptixC2
Hunt package for 2 IOCs associated with AsyncRAT
Hunt package for 16 IOCs associated with Cobalt Strike
Hunt package for 8 IOCs associated with CountLoader
Hunt package for 2 IOCs associated with DCRat
Hunt package for 2 IOCs associated with Nanocore RAT
Hunt package for 3 IOCs associated with PureRAT
Hunt package for 2 IOCs associated with Remcos
Hunt package for 6 IOCs associated with Remus
Hunt package for 5 IOCs associated with SectopRAT
Hunt package for 4 IOCs associated with Tofsee
Hunt package for 2 IOCs associated with ValleyRAT
Hunt package for 12 IOCs associated with Vidar
Hunt package for 3 IOCs associated with VShell
YARA rule: Trojan_Derusbi
This query looks for users sharing access to files with external users. This applies to SharePoint and OneDrive users. Audit event and Cloud application identifier references. Reference - https://l
Hunt package for 3 malicious URLs tagged as 134-199-190-221
Hunt package for 3 malicious URLs tagged as 165-227-155-54
Hunt package for 47 malicious URLs tagged as 32-bit
Hunt package for 5 malicious URLs tagged as arm
Hunt package for 15 malicious URLs tagged as ClearFake
Hunt package for 4 malicious URLs tagged as e73f7ff7572070d56a631ac6796adabd
Hunt package for 8 malicious URLs tagged as elf
Hunt package for 3 malicious URLs tagged as malware_download
Hunt package for 7 malicious URLs tagged as Mozi
Hunt package for 3 malicious URLs tagged as ocx
The query checks process command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root. This vulnerability of VMware Workspace ONE Access, Identity Manager
The query digs in Windows print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Suspicious DLL is load from Spooler Service backup folder. This
This query looks for lnk file executions from other locations than C: -drive, which can relate to mounted ISO-files. Reference - https://threathunt.blog/detecting-a-payload-delivered-with-iso-files-us
TheMask / Careto CnC communication signature
TheMask / Careto known command and control domains
TheMask / Careto OSX component signature
TheMask / Careto SGH component signature
Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo
Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo
Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo
Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo
This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update
Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform an
This query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep). CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability i
This query was originally published in the threat analytics report, Motivated miners. Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now use
This query was originally published in the threat analytics report, CVE-2018-8653 scripting engine vulnerability. CVE-2018-8653 is a remote code execution vulnerability found in the scripting engine f
This query looks for signs of impacket atexec module. Should work with others using similar technique. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-3/
This query looks for signs of impacket dcomexec module. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-2/
This query looks for signs of impacket psexec module usage. May hit other psexec-like techniques too. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-psexec/
This query looks for signs of impacket wmiexec module usage. May hit other wmi execution-like techniques too. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-2/
This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary co
This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows inst
This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows inst
This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows inst
This query detects possible abuse of ms-msdt MSProtocol URI scheme to load and execute malicious code via Microsoft Support Diagnostic Tool Vulnerability (CVE-2022-30190). The following query detects
This query was originally published in the threat analytics report, Ursnif (Gozi) continues to evolve. Windows Management Instrumentation, or WMI, is a legitimate Microsoft framework used to obtain ma
This query aim to detect if someone requests service tickets (where count => maxcount) The query requires trimming to set a baseline level for MaxCount Mitre Technique: Kerberoasting (T1558.003) @Ma
This query was originally published in the threat analytics report, Ursnif (Gozi) continues to evolve. Microsoft HTML Applications, or HTAs, are executable files that use the same technologies and mod
This query identifies UAC elevated processes by analyzing launches of consent.exe (the process that performs UAC elevation). The first parameter of consent.exe is the process ID being elevated, theref
This query was originally published in the threat analytics report, Motivated miners. Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now use
CRASHOVERRIDE v1 Config File Parsing
CRASHOVERRIDE v1 Suspicious Export
CRASHOVERRIDE Malware Hashes
IEC-104 Interaction Module Program Strings
CRASHOVERRIDE v1 Suspicious Strings and Export
CRASHOVERRIDE v1 Wiper
Blank mutex creation assoicated with CRASHOVERRIDE
This query was originally published in the threat analytics report, Emulation-evading JavaScripts. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order
This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is
This query was originally published in the threat analytics report, OSX/Shlayer sustains adware push. Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the us
This query was originally published in the threat analytics report, OSX/Shlayer sustains adware push. Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the us
This query was originally published in the threat analytics report, OSX/SurfBuyer adware campaign. It will return results if a shell script has furtively attempted to decode and save a file to a /tmp
This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Origina
This query identifies common processes run by ransomware malware to destroy volume shadow copies or clean free space on a drive to prevent a file from being recovered post-encryption. To reduce false
Malicious emails often contain documents and other specially crafted attachments that run PowerShell commands to deliver additional payloads. If you are aware of emails coming from a known malicious s
Finds PowerShell execution events that could involve a download.
Find the execution of PowerShell Version 2.0, eather to discover legacy scripts using version 2 or to find attackers trying to hide from script logging and AMSI.
Find all machines running a given Powersehll cmdlet. This covers all Powershell commands executed in the Powershell engine by any process.
Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. This covers all Powershell commands executed in the Powershell engine by any process.
This query was originally published in the threat analytics report, Python abuse on macOS The Python programming language comes bundled with macOS. In threat intelligence gathered from macOS endpoints
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
Identifies non-ASCII data written to the RunMRU registry key by explorer.
This query was originally published in the threat analytics report, SQL Server abuse. SQL Server offers a vast array of tools for automating tasks, exporting data, and running scripts. These legitimat
Hunt package for 8 IOCs associated with Kimwolf
Hunt package for 2 IOCs associated with Mirai
Hunt package for 2 IOCs associated with XMRIG
Hunt package for 60 IOCs associated with ClearFake
Hunt package for 5 IOCs associated with KongTuke
Hunt package for 17 IOCs associated with Unknown malware
Hunt package for 5 IOCs associated with AdaptixC2
Hunt package for 8 IOCs associated with AsyncRAT
Hunt package for 23 IOCs associated with Cobalt Strike
Hunt package for 2 IOCs associated with Lumma Stealer
The nccTrojan malware is a stealthy backdoor that establishes persistent remote access, exfiltrates sensitive data, and executes arbitrary commands to compromise infected systems. It typically arrives via phishing emails with malicious attachments or exploit kits bundled with legitimate software. SOC analysts should monitor
Hunt package for 5 IOCs associated with NetSupportManager RAT
PureRAT is a remote access trojan that enables attackers to exfiltrate data, execute arbitrary commands,
Remcos is a remote access Trojan (RAT) that enables attackers to steal sensitive data, execute arbitrary
Hunt package for 3 IOCs associated with Remus
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels, often targeting financial institutions and leveraging stolen credentials for lateral movement. It typically arrives through phishing emails with malicious attachments or compromised websites, using URL and domain-based command-and
Hunt package for 17 IOCs associated with VShell
XWorm is a multi-stage malware that establishes persistence, exfiltrates data, and leverages command-and-control (C2) communication to execute further malicious activities. It typically arrives via phishing emails containing malicious links or compromised domains/IPs used for initial compromise. SOC analysts should monitor for unusual network traffic patterns, lateral
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
Hunt package for 46 malicious URLs tagged as 32-bit
Hunt package for 2 malicious URLs tagged as 54e64e
Hunt package for 17 malicious URLs tagged as ClearFake
Hunt package for 28 malicious URLs tagged as elf
Hunt package for 8 malicious URLs tagged as malware_download
Hunt package for 4 malicious URLs tagged as mirai
The Mozi malware family is a backdoor that enables remote
This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript), common initial profiling commands (net \ net1
Encoded version of pcclient found on disk
File matching the md5 above tends to only live in memory, hence the lack of MZ header check.
File matching the md5 above tends to only live in memory, hence the lack of MZ header check.
Detects code from APT wateringhole
APT malware used to drop PcClient RAT
The YARA rule 'apt_c16_win64
3102 code features
3102 Identifying Strings
9002
9002 code features
9002 Identifying Strings
This query helps reviewing count of users attacked more than x times average.
This query will identify strings in process command lines which match Base64 encoding format, extract the string to a column called Base64, and decode it in a column called DecodedString.
Finding base64 encoded PE files header seen in the command line parameters. Tags: #fileLess #powershell.
Background Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers. This service is commonly used for legitimate purposes, but can also be used as part
Detects BlackEnergy 2 Malware
Visualises the trend of malicious URL clicks that were blocked by Safe Links over the past 30 days, helping analysts monitor the effectiveness of click protection policies. Based on Defender for Offic
This is a patched CMD. This is the CMD that RoyalCli uses.
This query will detect encoded powershell based on the parameters passed during process creation. This query will also work if the PowerShell executable is renamed or tampered with since detection is
This query looks for processes that load an older version of the system.management.automation libraries. While not inherently malicious, downgrading to PowerShell version 2 can enable an attacker to b
This query helps reviewing list of top users click on Phis URLs
Process executed from binary hidden in Base64 encoded file. Encoding malicious software is a. Technique to obfuscate files from detection. The first and second ProcessCommandLine component is looking
YARA rule: FE_APT_9002
This query identifies files that are copied to a device over SMB, then executed within a specified threshold. Default is 5 seconds, but is configurable by tweaking the value for ToleranceInSeconds.
Visualises malicious URL clicks that were allowed through Safe Links over time, helping analysts identify when users bypass security controls and click on malicious content. Based on Defender for Offi
Visualises emails containing QR code URLs that have been detected as malicious, helping analysts identify QR code-based attack campaigns. Based on Defender for Office 365 workbook: https://techcommuni
This query helps reviewing sender IPs sending malicious email of type Malware or Phish
Visualises click attempts on malicious URLs, grouped by workload (such as Exchange, Teams, SharePoint, Copilot etc.), to help analysts understand which workloads are most targeted. Based on Defender f
APT15 bs2005
This is a an exchange enumeration/hijacking tool used by an APT 15
Find generic data potentially relating to AP15 tools
Generic strings found in the Royal CLI tool
APT15 RoyalCli backdoor
DNS backdoor used by APT15
Finding attackers hiding malware in the recycle bin. Read more here: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/. Tags: #execution #SuspiciousPath.
Finds legitimate system32 or syswow64 executables being run under a different name and in a different location. The rule will require tuning for your environment. MITRE: Masquerading https://attack.mi
Detects PAS Tool PHP Web Kit
The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data.
This query visualises the daily amount of emails that had an admin post delivery action, summarizing the data by action type
This query visualises the amount of emails that had a post delivery action, summarizing the data daily by the final location as a result of the action
This query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge, summarizing by phish,spam or malware detection action
This query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge.
This query provides insights on the detections done by SafeLinks protection in Defender for Office 365
Hunt package for 4 IOCs associated with Kimwolf
Hunt package for 61 IOCs associated with ClearFake
Hunt package for 3 IOCs associated with EtherRAT
Hunt package for 2 IOCs associated with FAKEUPDATES
Hunt package for 5 IOCs associated with KongTuke
Hunt package for 32 IOCs associated with Unknown malware
Hunt package for 3 IOCs associated with Unknown Stealer
Hunt package for 3 IOCs associated with ACR Stealer
Hunt package for 3 IOCs associated with AdaptixC2
Hunt package for 4 IOCs associated with AsyncRAT
Hunt package for 36 IOCs associated with Cobalt Strike
DCRat is a remote access Trojan that enables adversaries to exfiltrate data and execute commands on infected systems. It typically arrives via phishing emails or malicious downloads, establishing communication through the identified IP:port
Hunt package for 5 IOCs associated with GCleaner
Hunt package for 4 IOCs associated with PureRAT
Hunt package for 5 IOCs associated with Quasar RAT
Hunt package for 4 IOCs associated with Remcos
Hunt package for 6 IOCs associated with Remus
Hunt package for 4 IOCs associated with Vidar
Hunt package for 17 IOCs associated with VShell
Hunt package for 2 IOCs associated with XWorm
This query helps reviewing the list of top 10% of most attacked users
This query helps reviewing list of top 10 URL domains attacking the organization
Visualises the top 10 users with click attempts on URLs in emails detected as malware, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook:
Visualises the top 10 users with click attempts on URLs in emails detected as phishing, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook:
Visualises the top 10 users with click attempts on URLs in emails detected as spam, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook: htt
This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days
This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days
Visualises the total amount of click attempts on URLs with detections, split by the different threat types identified. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/bl
This query helps reviewing URL click count by ClickAction
In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge
In this query, we are looking URL click actions by URL in the last 7 days
Summarizes URL click events by action type to help analysts understand user click behavior and policy effectiveness. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog
In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected
Hunt package for 10 malicious URLs tagged as 102-220-160-47
Hunt package for 2 malicious URLs tagged as 176-65-139-194
Hunt package for 7 malicious URLs tagged as 176-65-139-7
Hunt package for 3 malicious URLs tagged as 176-65-139-99
Hunt package for 5 malicious URLs tagged as 176-65-149-239
Hunt package for 15 malicious URLs tagged as 32-bit
Hunt package for 7 malicious URLs tagged as 93-115-172-57
Hunt package for 3 malicious URLs tagged as arm
Hunt package for 9 malicious URLs tagged as ClearFake
Hunt package for 12 malicious URLs tagged as dropped-by-Phorpiex
Hunt package for 4 malicious URLs tagged as elf
Hunt package for 34 malicious URLs tagged as malware_download
The Mirai malware family compromises IoT devices by exploiting default credentials, turning them into bots for large-scale DDoS
Hunt package for 9 malicious URLs tagged as Mozi
Hunt package for 2 malicious URLs tagged as RemcosRAT
Visualises where URLs have been identified in emails, summarizing by location (for example: Attachment, header, body) to help analysts understand distribution and risk. Based on Defender for Office 36
This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page.
This query provides insights on users who clicked on a suspicious URL
This query helps in determining clickthroughs when email delivered because of detection overrides.
This query helps reviewing user reported email submissions
Detects PAS Tool PHP Web Kit
Detects PAS Tool PHP Web Kit
This query visualises the daily amount of admin false negative submission by submission type.
This query visualises the daily amount of admin false positive submission by submission type.
This query visualises all emails submitted as false positive by admins summarizing by the original filter verdict threat type
This query visualises the original detection technology of emails submitted as phish false positive by admins
This query visualises the original detection technology of emails submitted as spam false positive by admins
This query visualises the total amount of admin false negative or false positive submissions by the verdict of the submission grading.
This query visualises the total amount of admin false negative submissions by the state of the submission.
This query visualises the total amount of admin false positive submissions by the state of the submission.
This query helps reviewing admin reported email submissions
This query visualises the total amount of admin false positive submission by submission type.
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX
YARA rule: Ham_backdoor
This query visualises total emails with Phish (BEC) - Impersonation detections over time.
CommentCrew-threat-apt1
CommentCrew-threat-apt1
The YARA rule 'PLUGX_RedLeaves' detects specific RedLeaves and PlugX malware binaries associated with advanced persistent threat campaigns. SOC teams should deploy
The YARA rule 'RED
Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT
Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT
Hunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data
This query helps reviewing count of spoof and impersonation detections done per sender IP
This query helps reviewing count of phish detections done by spoof detection methods
This query visualises total emails with Phish (BEC) Spoof detections by Detection Technology
This query visualises total emails with Phish (BEC) Spoof detections by Detection Technology over time
This query visualises total emails Business Email Compromise (BEC) Spoofing detections over time summarizing the data daily.
This query helps reviewing status of submissions
Hunt package for 4 IOCs associated with Kimwolf
Hunt package for 5 IOCs associated with PerlBot
Hunt package for 6 IOCs associated with XMRIG
Hunt package for 39 IOCs associated with ClearFake
Hunt package for 6 IOCs associated with KongTuke
Hunt package for 2 IOCs associated with magecart
Hunt package for 21 IOCs associated with Unknown malware
Hunt package for 4 IOCs associated with Unknown Loader
Hunt package for 2 IOCs associated with AdaptixC2
Hunt package for 4 IOCs associated with AsyncRAT
Hunt package for 43 IOCs associated with Cobalt Strike
Hunt package for 2 IOCs associated with DanaBot
Hunt package for 2 IOCs associated with DCRat
Hunt package for 5 IOCs associated with Remcos
The Remus malware family is designed to exfiltrate sensitive data and establish persistence within compromised systems, often
Hunt package for 2 IOCs associated with Sliver
Hunt package for 3 IOCs associated with SmokeLoader
Hunt package for 4 IOCs associated with Tofsee
Hunt package for 3 IOCs associated with ValleyRAT
Hunt package for 46 IOCs associated with Vidar
Hunt package for 5 IOCs associated with VShell
The T
This query visualises emails submitted as false negatives by admins where emails where already detected by MDO but there was an admin policy override
This query visualises emails submitted by admins as false negatives, summarizing the data by top 10 sender domains of those emails
This query visualises emails submitted by admins as false positives, summarizing the data by top 10 sender domains of those emails
This query visualises the top admins performing false negative submissions
This query visualises the top admins performing false positive submissions
This query graphs top accounts performing user submissions
This query visualises top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders)
Total Submissions by Submission State
Total Submissions by Submission Type
Hunt package for 27 malicious URLs tagged as 32-bit
Hunt package for 4 malicious URLs tagged as arm
Hunt package for 5 malicious URLs tagged as c2-monitor-auto
Hunt package for 11 malicious URLs tagged as ClearFake
Hunt package for 6 malicious URLs tagged as CoinMiner
Hunt package for 5 malicious URLs tagged as elf
Hunt package for 3 malicious URLs tagged as jar
Hunt package for 37 malicious URLs tagged as malware_download
Hunt package for 3 malicious URLs tagged as mirai
Hunt package for 6 malicious URLs tagged as Mozi
Hunt package for 6 malicious URLs tagged as WeedHack
This query visualises the daily ammount of users false negative submission by submission type, including phish simulations reported by users.
This query visualises user submissions type compared to admin review verdict
This query visualises user submissions where admin also performed 'mark and notify' action on the submission
This query visualises the total ammount of user false negative submission by submission type, including the phish simulations reported emails
This query visualises the total ammount of user false negative or false positive submissions by the verdict of the submission grading.
This query visualises the total ammount of user false negative submissions from the junk folder
This query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was an admin definded policy override
This query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was a policy override.
This query visualises top sender email addresses of inbound emails submitted as false negatives by users.
This query visualises top sender domains of inbound emails submitted as false negatives by users.
This query visualises top sender email addresses of intra-org emails submitted as false negatives by users.
This query visualises top 10 subjects of intra-org emails submitted as false negatives by users.
This query helps to find threats using display name impersonation for users not already protected with User Impersonation
This query provides insights into AIR investigation actions in Microsoft Defender for Office 365.
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
This query visualises total inbound emails which has any Bulk complaint level.
CommentCrew-threat-apt1
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients
In this detection, we track emails with suspicious keywords in subjects.
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code
CommentCrew-threat-apt1
This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name
CommentCrew-threat-apt1
CommentCrew-threat-apt1
This query visualises total inbound emails with Spam detections.
This query visualises top 10 users targeted with Spam.
This query visualises total inbound emails with Spam detections summarizing the data by the top 15 email sender P2 domain (SenderFromDomain).
This query visualises top 15 users targeted with Spam with summarized spam detections.
In this query, we hunt for inbound emails delivered having URLs from QR codes
In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject
In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.
CommentCrew-threat-apt1
CommentCrew-threat-apt1
This query shows information about high confidence phish email that has been released from the Quarantine.
In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.
This query visualises total emails with Phish (BEC) Impersonation detections by Detection Technology
This query visualises total emails with Phish (BEC) Impersonation detections by Detection Technology over time
In this query, we summarize volume of inbound emails with QR code URLs in last 30 days
YARA rule: is__elf
CommentCrew-threat-apt1
CommentCrew-threat-apt1
Listing Email Remediation Actions performed via Explorer in Defender for Office 365
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
In this detection, we track emails with personalized subjects.
In this detection, we track emails with personalized subjects.
This query visualises the total amount of phish emails that are quarantined, summarized by the detection method
This query visualises the amount of phish emails that are quarantined, summarized daily by the detection method
This query shows information about email that has been released from the Quarantine in Defender for Office 365.
This query helps reviewing quarantine release trend in Defender for Office 365
This query visualises emails released from quarantine and summarizing the result by the original filter verdict
This query visualises the total amount of spam emails that are quarantined, summarized by the detection method
This query visualises the amount of spam emails that are quarantined, summarized daily by the detection method
In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.
identifies RTF's with potential shellcode
CommentCrew-threat-apt1
This query visualises total emails with Spam detections over time summarizing the data daily by Delivery Location.
This query visualises total emails with Spam detections summarizing the data by email sender IP address (SenderIPv4, SenderIPv6).
This query visualises total emails with Spam detections summarizing the data by various Spam detection technologies/controls.
This query visualises total emails with Spam detections over time summarizing the data daily
This query visualises total emails with Spam detections over time by various Spam Detection technologies/controls.
CommentCrew-threat-apt1
This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.
CommentCrew-threat-apt1
CommentCrew-threat-apt1
CommentCrew-threat-apt1
Hunt package for 4 IOCs associated with Kimwolf
Mirai is a DDoS botnet malware that infects IoT devices to launch
Hunt package for 5 IOCs associated with PerlBot
Hunt package for 8 IOCs associated with RedTail
Hunt package for 6 IOCs associated with XMRIG
Hunt package for 22 IOCs associated with ClearFake
Hunt package for 2 IOCs associated with Unknown malware
Hunt package for 3 IOCs associated with AsyncRAT
Hunt package for 37 IOCs associated with Cobalt Strike
Hunt package for 10 IOCs associated with CobaltMirage FRP
DCRat is a remote access trojan that enables attackers to exfiltrate data and
Hunt package for 6 IOCs associated with Lumar
Hunt package for 5 IOCs associated with Remus
Hunt package for 2 IOCs associated with SectopRAT
Hunt package for 2 IOCs associated with Stealc
Hunt package for 8 IOCs associated with StrelaStealer
Hunt package for 19 IOCs associated with Vidar
Hunt package for 82 IOCs associated with VShell
This query visualises total inbound emails which has any Bulk complaint level.
This query visualises total inbound emails with Phish detections summarizing the data by the top recipient email address (RecipientEmailAddress)
CommentCrew-threat-apt1
Hunt package for 37 malicious URLs tagged as 32-bit
Hunt package for 15 malicious URLs tagged as ClearFake
Hunt package for 17 malicious URLs tagged as elf
Hunt package for 19 malicious URLs tagged as malware_download
Hunt package for 25 malicious URLs tagged as mirai
Hunt package for 4 malicious URLs tagged as Mozi
Hunt package for 12 malicious URLs tagged as unknown
This query visualises total emails with Phish detections over time summarizing the data daily by Phish detection technologies/controls used for detecting unknown-unique phish
Hunting query that identifies admin consent grants to Entra ID applications. Admin consent (also referred to as tenant-wide consent) allows an administrator to authorize an application to access resou
Hunting query that identifies Entra ID application registrations and updates where one or more redirect URIs (reply URLs) point to an external domain that is not a trusted Microsoft endpoint, localhos
This query helps surface phishing campaigns associated with Appspot abuse.
Hunting query that identifies Conditional Access policies that have been disabled or deleted. An attacker who obtains privileged access to an Entra ID tenant will commonly disable or delete CA policie
This query visualises total inbound emails with Phish detections summarizing the data by the top email sender P2 domain (SenderFromDomain).
Detects an embedded executable in a non-executable file
Hunting query that identifies guest or external accounts being added to privileged Entra ID directory roles. External accounts are identified by the presence of #EXT# in the UserPrincipalName, which i
YARA rule: hancitor_dropper
YARA rule: macrocheck
The 'maldoc
YARA rule: maldoc_find_kernel32_base_method_1
YARA rule: maldoc_find_kernel32_base_method_2
YARA rule: maldoc_find_kernel32_base_method_3
The 'maldoc_function_prolog_signature' rule detects malicious document code patterns associated with malware function prologs. SOC teams should deploy this rule in endpoint EDR scanning, email gateways, and file share monitoring to
YARA rule: maldoc_getEIP_method_1
YARA rule: maldoc_getEIP_method_4
YARA rule: maldoc_indirect_function_call_1
YARA rule: maldoc_indirect_function_call_2
YARA rule: maldoc_indirect_function_call_3
YARA rule: maldoc_structured_exception_handling
YARA rule: maldoc_suspicious_strings
Detect weaponized RTF documents with OLE2Link exploit
MWI generated document
Hunting query that identifies OAuth consent events where the granted permission scope includes high-risk delegated or application permissions, and where the target application has not been observed in
This query visualises total emails with Phish detections over time summarizing the data daily by Delivery Location.
This query visualises total emails with Phish detections summarizing the data by various Phish detection technologies/controls
This query visualises total emails with Phish detections over time summarizing the data daily by various Phish Detection technologies/controls
This query visualises emails with Phish detections (High confidence) summarizing the data by Delivery Location.
This query visualises emails with Phish detections (Normal confidence) summarizing the data by Delivery Location.
This query visualises total emails with Phish detections over time summarizing the data daily.
This query helps hunting for possible device code Phishing attempts
Punycode lookalike domains in Emails and Teams messages
Hunt package for 46 IOCs associated with ClearFake
Hunt package for 4 IOCs associated with Unknown malware
Hunt package for 4 IOCs associated with AsyncRAT
Cobalt Strike is a sophisticated malware used for persistent remote access, command-and-control (C2) communication, and executing payloads to exfiltrate data or move laterally within
Hunt package for 2 IOCs associated with Formbook
Hunt package for 3 IOCs associated with Havoc
The Loki Password Stealer (PWS) is a malware family designed to exfiltrate sensitive credentials and system data by leveraging stolen
Hunt package for 2 IOCs associated with NetSupportManager RAT
Hunt package for 7 IOCs associated with NjRAT
Hunt package for 3 IOCs associated with Quasar RAT
Hunt package for 4 IOCs associated with Remcos
Hunt package for 3 IOCs associated with ValleyRAT
Hunt package for 110 IOCs associated with Vidar
This query helps in reviewing top policies for user overrides (Allow/Block)
This query visualises the total amount of emails subject to an admin policy with action of allow, independent of action taken, summarizing the data by type of override
This query visualises the amount of emails subject to an admin policy with action of block, summarizing the data daily
This query visualises the amount of emails subject to a user type policy with action of allow, summarizing the data by type of override and threats type found
This query visualises the amount of emails subject to a user type policy with action of block, summarizing the data daily
Hunt package for 55 malicious URLs tagged as 32-bit
Hunt package for 33 malicious URLs tagged as ClearFake
Hunt package for 6 malicious URLs tagged as malware_download
Hunt package for 6 malicious URLs tagged as Mozi
YARA rule: BlackHole_v2
Detect a VBE file inside a byte sequence
Dridex Malware in XML Document
EmbeddedFiles were introduced in v1.3
Flate was introduced in v1.2
3.4.1, 'File Header' of Appendix H states that ' Acrobat viewers require only that the header appear somewhere within the first 1024 bytes of the file.' Therefore, if you see this trigger then any ot
YARA rule: invalid_trailer_structure
XObject's require v1.4+
The first entry in a cross-reference table is always free and has a generation number of 65,535
JBIG2 was introduced in v1.4
These are commonly used to split up JS code
JavaScript was introduced in v1.3
The 'malicious_author' YARA rule detects files or artifacts associated with Glenn Edwards' known malicious campaigns, targeting indicators of compromise linked to his threat actor tactics. SOC teams should deploy this rule in endpoint EDR scanning, email gateways, and file share monitoring to identify and mitigate potential threats from this adversary.
The 'multiple_filtering' YARA rule detects malware or payloads employing multiple filtering techniques to evade detection mechanisms. SOC teams should deploy this rule in endpoint EDR scanning, email gate
Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed
YARA rule: PDF_Embedded_Exe
The 'possible_exploit' YARA rule detects potential malicious code or exploit artifacts commonly associated with advanced threats. SOC teams should deploy this rule in endpoint EDR scanning, email gateway, and file share monitoring to identify and mitigate exploit-related activities.
This YARA rule detects malicious PowerShell scripts commonly used in cyberattacks. SOC teams should deploy it in endpoint EDR scanning, email gateway, and file share monitoring to identify and block suspicious PowerShell activity.
YARA rule: ppaction
The 'shellcode_blob_metadata' rule detects large Base64-encoded blobs in metadata fields, which are often indicative of embedded shellcode awaiting decoding. SOC teams should deploy this rule in endpoint EDR scanning, email gateway, and file share monitoring to identify potential malicious payloads.
This query helps in reviewing malicious emails allowed due to admin overrides
This query helps in reviewing malicious emails allowed due to user overrides
YARA rule: suspicious_author
YARA rule: suspicious_creation
YARA rule: suspicious_creator
YARA rule: suspicious_embed
YARA rule: suspicious_js
YARA rule: suspicious_launch_action
The 'suspicious_obfuscation' rule detects obfuscated code or files that may hide malicious payloads, often used in evasion techniques. SOC teams should deploy this rule in endpoint EDR scanning, email gateway analysis, and file share monitoring to identify potential threats.
YARA rule: suspicious_producer
This query looks for Teams messages from an external user with a suspicious display name.
YARA rule: suspicious_title
The 'suspicious_version' YARA rule detects files with known malicious versions or variants associated with malware families. SOC teams
This query visualises the daily amount of admin false negative Teams message submissions by submission type of Phish or Malware
This query visualises the daily amount of admin false positive Teams message submissions
This query visualizes Teams messages submitted by users or admins then graded in the submission process.
This query visualizes the daily amount of blocked Url clicks performed by users on Urls in Teams messages.
This query helps hunt for Teams messages with Malware threats that have been ZAPed.
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious Teams message with a URL from OpenPhish was delivered.
This query helps hunt for Teams messages that have been ZAPed with the same URL in Email.
This query helps hunt for Teams messages from a specific sender by ThreadType.
This query helps hunt for Teams messages with suspicious URL domains.
This query helps hunt for Teams messages with Phish threats that have been ZAPed.
This query visualizes the daily amount of post delivery events on Teams messages.
This query helps hunt for Teams messages with Spam threats that have been ZAPed.
This rule detects and alerts on known threats in Teams messages when a contained domain or URL matches a Microsoft Defender Threat Intelligence indicator (of type 'Domain' or 'URL')
This query visualizes user clicks in Teams summarizing the data by the various URLs and Click actions on them.
This query visualizes clicks through actions on Phish or Malware URLs in Teams, summarizing the data by Urls.
This query visualises the daily amount of user false negative and false postive Teams message submissions
This query helps hunt for Teams users clicking on suspicious URL domains.
Hunt package for 2 IOCs associated with Evilginx
Hunt package for 27 IOCs associated with ClearFake
Hunt package for 20 IOCs associated with KongTuke
Hunt package for 22 IOCs associated with Unknown malware
Hunt package for 9 IOCs associated with AdaptixC2
Hunt package for 17 IOCs associated with AsyncRAT
Cobalt Strike is a penetration testing tool often weaponized for initial access, lateral movement, and command-and-control (C2) communication, leveraging IP
DCRat is a remote access Trojan that enables attackers to exfiltrate data and execute commands on infected systems. It typically arrives via network-based C2 communication through specified IP:port pairs, often leveraging
Form
Hunt package for 3 IOCs associated with Havoc
The Loki Password Stealer (PWS) is a malware family designed to exfiltrate credentials and sensitive data from infected systems. It typically arrives via phishing emails or malicious URLs that download the payload to compromised endpoints. SOC analysts should monitor for unusual network traffic, lateral movement, and signs of credential dumping beyond the observed URLs.
Quasar RAT is a remote access trojan that enables attackers to
Hunt package for 5 IOCs associated with Remcos
Hunt package for 4 IOCs associated with Sliver
Hunt package for 3 IOCs associated with ValleyRAT
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels, often targeting banking credentials and system information. It typically arrives through phishing emails containing malicious URLs or via compromised domains
Hunt package for 2 IOCs associated with XWorm
Top 10 attacked users by Phish messages from external senders using Teams
This query visulises all up Top 10 external senders sending Teams messages
This query looking for top 10 External senders sending Team phishing messsages.
This query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 sender domains of those messages
This query visualises Teams messages submitted by users as false negatives or false positives, summarizing the data by top 10 sender domains of those messages
This query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 indidvidual senders of those messages
This query visualises Teams messages submitted by admins as false positives, summarizing the data by top 10 indidvidual senders of those messages
This query visualises Teams messages submitted by user as false negatives or false positives, summarizing the data by top 10 indidvidual senders of those messages
This query visualizes Top 10 Users clicking on malicious Phish or Malware URLs in Teams.
This query visualises the top admins performing false negative or false positive admin submissions of Teams messages
This query visualises the top users performing false negative or false positive user submissions of Teams messages
This query looking for potential partner compromise via comparing outbound Teams message traffic per target domain and looking for malicious Teams messages from the same domains as inbound.
Top external senders sending malicious inbound Teams messages Spam, Phish, Malware
Top External Sender domains sending Teams message with Malware threats
Top External Sender domains sending Teams message with Phish threats
Top External Sender domains sending Teams message with Spam threats
This query helps hunt for top malicious URLs clicked by users in Teams
This query helps in reviewing top policies for admin overrides (Allow/Block)
This query visulises Total number of MDO Teams protection detections daily
This query visualizes URL clicks on URLs in Teams messages which were acted by ZAP.
Hunt package for 14 malicious URLs tagged as 32-bit
Hunt package for 10 malicious URLs tagged as arm
Hunt package for 77 malicious URLs tagged as ClearFake
Hunt package for 18 malicious URLs tagged as elf
Hunt package for 5 malicious URLs tagged as malware_download
Hunt package for 3 malicious URLs tagged as mirai
Hunt package for 5 malicious URLs tagged as Mozi
Hunt package for 2 malicious URLs tagged as sh
YARA rule: XDP_embedded_PDF
YARA rule: APT_OLE_JSRat
This query detects changes to blocked Teams domains.
This query detects changes to blocked Teams domains and can be used as an NRT detection.
In this query, we are looking for emails containing malware accessed on a unmanaged device
In this query, we are looking for emails containing malware attachment sent by an internal sender
This query helps reviewing email malware detection cases
This query visualises total inbound emails with Malware detections summarizing the data by the top email sender P2 domain (SenderFromDomain)
This query helps hunt for recipients of Teams messages.
This query helps hunt for external malicious Teams messages sent from internal senders
This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on built-in SharePoin
This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on Defender for Offic
This query visualises total files located on SharePoint, OneDrive and Teams with Malware detections over time summarizing the data daily.
Correlates Microsoft Teams message activity with downstream Defender alerts on the recipient (victim) identity, surfacing potential phishing or social-engineering chats that are followed by alert acti
This query helps hunt for Teams messages with malicious URLs based on external Threat Intelligence source
Correlates inbound Microsoft Teams messages with subsequent execution of common Remote Monitoring and Management (RMM) tools (QuickAssist, AnyDesk, TeamViewer) on the recipient's device within a shor
This query helps reviewing volume of inbound external Teams message by sender domains
This query helps reviewing malicious Teams message detections by URL detection methods
This query helps hunt for malicious Teams messages received from external senders.
This query visualises total emails with Malware detections over time summarizing the data daily by Delivery Location.
This query visualises total emails with Malware detections summarizing the data by various Malware detection technologies/controls.
This query visualises total emails with Malware detections over time summarizing the data daily by various Malware detection technologies/controls.
This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the locations they are stored
This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the workload in which they are stored
This query visualises total emails with Malware detections over time summarizing the data daily.
Use AlertInfo and AlertEvidence to collect general information and clickable links to more IOCs about suspicious external Teams messages.
This query visualises number of unqiue accounts performing Teams message admin submissions as false negatives or false positives
This query visualises number of unqiue accounts performing Teams message user submissions as false negatives or false positives
This query can be used as a Custom Detection Rule (CDR) to trigger when a partner email domain or email address is used in a Sender display name part of an inbound external Teams message
This query looks for possible Teams phishing activity.
This query provides insights on a potentially malicious URL click in Teams
Detects rare domains (seen in fewer than 3 Teams messages) appearing in external Microsoft Teams threads within the last 24 hours.
Detects RTF files
This query visualises emails with Spam detections (High confidence) summarizing the data by Delivery Location.
This query visualises emails with Spam detections (Normal confidence) summarizing the data by Delivery Location.
This query helps hunt for communication from suspicious external users.
This query helps hunt for communication with suspicious external users.
Hunt package for 7 IOCs associated with Kimwolf
Hunt package for 2 IOCs associated with Evilginx
Hunt package for 3 IOCs associated with ClearFake
Hunt package for 20 IOCs associated with KongTuke
Hunt package for 8 IOCs associated with Unknown malware
Hunt package for 3 IOCs associated with AdaptixC2
Hunt package for 19 IOCs associated with AsyncRAT
Hunt package for 5 IOCs associated with Cobalt Strike
DCRat is a
Hunt package for 2 IOCs associated with Havoc
Hunt package for 3 IOCs associated with Nanocore RAT
Hunt package for 3 IOCs associated with NetSupportManager RAT
Quasar RAT is a remote access trojan that enables attackers to execute commands, steal data, and
Hunt package for 2 IOCs associated with RansomHub
Hunt package for 6 IOCs associated with Remcos
Hunt package for 121 IOCs associated with Vidar
Hunt package for 3 IOCs associated with XWorm
This query helps reviewing top 100 malicious senders
This query helps reviewing top 100 senders in your organization in last 30 days
This query visualises total emails with Malware detections summarizing the data by ThreatNames of the malware detected.
This query visualises total inbound emails with Malware detections summarizing the data by the top recipient email address (RecipientEmailAddress)
The "
Hunt package for 18 malicious URLs tagged as arm
Hunt package for 10 malicious URLs tagged as botnetdomain
Hunt package for 2 malicious URLs tagged as ClearFake
Hunt package for 26 malicious URLs tagged as elf
Hunt package for 3 malicious URLs tagged as opendir
Hunt package for 4 malicious URLs tagged as powershell
Hunt package for 61 malicious URLs tagged as ua-wget
This query visualises total emails with Malware detections over time summarizing the data daily by Malware detection technologies/controls used for detecting unknown-unique malware.
This query helps reviewing zero day threats via URL and file detonations
This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
This query helps hunting for Automated email notifications and suspicious sign-in activity
This query visualises bad traffic (% of emails with threats) compared to total inbound emails over time summarising the data daily.
This query helps hunting for BEC - File sharing tactics - Dropbox
This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint
The 'blackhole_basic' YARA rule detects indicators
This query helps calculate overall efficacy of MDO based on threats blocked pre-delivery, post-delivery cleanups, or were uncaught.
This query helps reviewing malicious email detections by detection methods
This query helps reviewing recipients who are potentially victim of email bombing attacks
This query helps getting GeoIP information of emails SenderIPv4 addresses.
This query helps hunting for Emails containing links to IP addresses
This query helps hunting for good emails from senders with bad patterns
This query helps report on email access by administrators
This query helps to hunt for possible email bombing attacks in Microsoft Defender for Office 365.
This query helps hunting for email conversation take over attempts
This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source
This query helps hunt for emails with malicious URLs based on external IOC source
This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
This query helps hunting for Inbox rule changes which forward-redirect email
Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in securit
This query helps reviewing emails accessed by end users using cloud app events data
This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
This query helps reviewing inbound / outbound / intra-org emails by domain per day
This query helps hunting for emails from a sender with at least one email in quarantine
This query helps reviewing Malware, Phishing, Spam emails caught per day
This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365
Graph of MDO detections trended over time
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious email appearing to come from an Accepted Domain but DMARC had a (transient) TempError result.
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious email with a URL from OpenPhish was delivered to Inbox
This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious OAuth app URL has been delivered into an Inbox.
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious .SVG file has been delivered into an Inbox.
This query helps in checking the sender-recipient contact establishment status
Hunt package for 30 IOCs associated with Kimwolf
Hunt package for 184 IOCs associated with ClearFake
Hunt package for 3 IOCs associated with Unknown malware
Hunt package for 5 IOCs associated with AsyncRAT
Hunt package for 2 IOCs associated with Cobalt Strike
The Lumma Stealer malware is a data-exfiltration tool designed to steal sensitive information such as credentials
Hunt package for 5 IOCs associated with Meterpreter
Hunt package for 3 IOCs associated with Nanocore RAT
Hunt package for 3 IOCs associated with NetSupportManager RAT
Hunt package for 2 IOCs associated with RansomHub
Hunt package for 87 IOCs associated with Vidar
Hunt package for 3 IOCs associated with VShell
Identifies the top 10 sender domains delivering inbound emails classified as malware, phishing, or spam. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftde
Identifies the top 10 external sender addresses delivering inbound emails classified as malware. If you want to exclude your own organization's domains (including subdomains), add a filter after the m
Identifies the top 10 external sender addresses delivering inbound emails classified as phishing. If you want to exclude your own organization's domains (including subdomains), add a filter after the
Identifies the top 10 external sender addresses delivering inbound emails classified as spam. If you want to exclude your own organization's domains (including subdomains), add a filter after the spam
Identifies the top 10 users receiving inbound emails classified as malware, phishing, or spam. Based on concepts from the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.
Visualises the top 10 users with click attempts on URLs in emails detected as malware, phishing, or spam, helping analysts identify risky user behaviour and potential targets. Based on Defender for Of
This query helps hunting for top outbound recipient domains which are sending inbound emails with threats
Provides a summary of total number of detections
Hunt package for 26 malicious URLs tagged as 32-bit
Hunt package for 13 malicious URLs tagged as apk
The "arm" malware family is designed to exfiltrate sensitive data and establish persistence within infected systems. It typically arrives via phishing
Hunt package for 39 malicious URLs tagged as c2-monitor-auto
Hunt package for 74 malicious URLs tagged as ClearFake
Hunt package for 9 malicious URLs tagged as elf
The "jar" malware family is a Java-based downloader that establishes command-and-control (C2) communication to exfiltrate data and execute arbitrary
Yara rule for Banking trojan targeting South Korean banks
Angler Exploit Kit Redirector
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
Detects scam emails with phishing attachment.
This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
Identifies browser extension CRX files observed across endpoints. Helps in enumerating commonly installed extensions and hunting for potentially malicious ones. --- Optional Enrichment: To enrich th
This query visualises total emails with Spoof - Composite Authentication fails summarizing the data daily.
Find devices connected to a monitored network. Please Note line 5 needs to have a monitored network name put in place or commented out to pull everything.
Detects scam emails with phishing attachment.
YARA rule: CryptoWall_Resume_phish
The 'dav
This query was originally published in the threat analytics report, Operation Soft Cell. Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers through
// Detect Active Directory service accounts that are not active because their last logon was more than 14 days ago // Replace XXX on line 4 with the naming convention start of your Active Directory se
This query was originally published in the threat analytics report, Operation Soft Cell. Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers through
This advanced hunting query detects processes communicating with known Tor relay IP addresses. The public URL in the query is updated daily at 12PM and 12AM UTC. CSV source is the Tor Project API, obt
Custom detection to find use of torrenting software or browsing related to torrents.
Looking for high volume queries against a given RemoteIP, per DeviceName, RemotePort and Process. Please change the Timestamp window according your preference/objective, as also the subnet ranges that
This query visualises total emails with Spoof - DKIM fails summarizing the data daily.
This query visualises total emails with Spoof - DMARC fails summarizing the data daily.
YARA rule: docx_macro
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu
YARA rule: dropper
This rule detects mapin dropper files
YARA rule: Email_Generic_Phishing
The 'Email_quota_limit_warning' rule detects emails indicating a user has exceeded their email storage quota, often used by attackers to mask malicious activity. SOC teams should deploy this rule in email gateways and endpoint EDR solutions to identify potential phishing or malware distribution attempts.
Detects a possible .eml used in the Ukraine BE power attack
Detects a possible .eml used in the Ukraine BE power attack
This query detects delivered phishing emails where the Sender is empty based on recently observed campaigns.
The query finds attempts to list users or groups using Net commands.
Detects the possible extortion scam on the basis of subjects and keywords
YARA rule: Fake_it_maintenance_bulletin
Find accounts that have been deleted and by whom
This rule detects the apk related to hackingteam - These certificates are presents in mailboxes od hackingteam
Applications with Installer as an application name
JNLP file extensions are an uncommon file type often used to deliver malware.
Mapin trojan, not for droppers
Find accounts that have been added/removed from groups in AD.
Moskow Droid Development
Detect multiple Active Directory LDAP queries made in bin time Replace 10 on line 1 with your desired thershold Replace 1m on line 2 with your desired bin time
// Detect multiple sensitive Active Directory LDAP queries made in bin time // Sensitive queries defined as Roasting or sensitive objects queries // Replace 10 on line 6 with your desired thershold //
This query searches for not onboarded devices with a specific Suffix
Detect Active Directory LDAP queries that search for users with comment or description that contains the string "pass" that might suggest for the user password This LDAP query cover MetaSploit - enum_
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has
Retefe
Detect Active Directory LDAP queries that search for Kerberoasting (SPNs) or accounts with Kerberos preauthentication not required from Azure ATP, and try to get the process initiated the LDAP query f
This query provides insights on the detections done by Safe Attachment detections
This query uncovers seen connected networks
This query uncovers seen IPAddressV4 network subnets
This query uncovers seen IPAddressV6 network subnets
Detect Active Directory LDAP queries that search for sensitive objects in the organization This LDAP query cover BloodHound tool
Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. To read more about Network Share Discovery, see: https://attack.mitre.org/wiki/T
sms-fraud examples
This is just an example
smsfraud chinese
This rule detects apks related with sms fraud
YARA rule: smspay_chinnese
This query visualises total emails with Spoof - SPF fails summarizing the data daily.
This query helps in checking for spoofing attempts on the domain with Authentication failures
Attackers can use Adfind which is administrative tool to gather information about domain controllers or ADFS servers. They may also rename executables with other benign tools on the system. The below
Hunt package for 20 IOCs associated with Kimwolf
Hunt package for 107 IOCs associated with ClearFake
Hunt package for 5 IOCs associated with KongTuke
Hunt package for 51 IOCs associated with Unknown malware
AsyncRAT is a remote access Trojan that enables attackers to execute commands, steal data, and maintain persistent access to compromised systems. It typically arrives via phishing emails, malicious downloads, or exploit kits leveraging IP:port connections to establish command-and-control communication. SOC analysts should monitor for unusual outbound traffic on listed ports, signs of lateral
Hunt package for 7 IOCs associated with Cobalt Strike
Hunt package for 2 IOCs associated with Meterpreter
Hunt package for 3 IOCs associated with Nanocore RAT
Hunt package for 2 IOCs associated with Remcos
This query visualises total emails with Spoof-DMARC fails detections summarizing the data by the top email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
This query visualises total emails with Phish-Spoof-external domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
This query visualises total emails with Phish-Spoof-internal domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
Ruleset to detect android pornclicker trojan, connects to a remote host and obtains javascript and a list from urls generated, leading to porn in the end.
This query finds network communication to specific URL. Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster. Example: RemoteUrl has "mic
Hunt package for 46 malicious URLs tagged as 32-bit
Hunt package for 3 malicious URLs tagged as arm
Hunt package for 54 malicious URLs tagged as ClearFake
Hunt package for 18 malicious URLs tagged as elf
Hunt package for 8 malicious URLs tagged as ua-wget
Detect Active Directory LDAP queries that try to find operating systems that are vulnerable to specific vulnerabilities This LDAP query cover MetaSploit - enum_ad_computers tool
The 'with_attachment' YARA rule detects files containing attachments, which may indicate malicious payloads or phishing attempts. SOC teams should deploy this rule in email gateways, endpoint EDR scanning, and file share monitoring to identify suspicious attachments in network traffic and stored files.
The 'with_images' YARA rule detects the presence of one or more image files within a payload, potentially
Rule to detect the presence of an or several urls
Rule to detect the no presence of any attachment
Rule to detect the no presence of any image
Rule to detect the no presence of any url
YARA rule: xbot007
This query will find when federation trust settings are changed for a domain or when the domain is changed from managed to federated authentication. Results will relate to when a new Active Directory
Adware
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse
Yara for variants of Trojan-Banker.AndroidOS.Tordow. Test rule
The YARA rule 'android_mazarBot_z' detects Android malware associated with the MazarBOT family, which is known for credential theft and lateral movement. SOC teams should deploy this
This rule detects apps made with metasploit framework
YARA rule: android_meterpreter
This rule try to detects OmniRat
This rule detects the banker trojan with overlaying functionality
Yara detection for Android Locker app named Pink Club
The YARA rule Android_RuM
This rule try to detects Android.Banking.RuMMS
This
This rule detects Android wifi Switcher variants
YARA rule: android_tempting_cedar_spyware
This rule try to detects Android.Triada.Malware
This query finds anomalous models discovered
Virus de la Policia - android
BankBot/Mazain attacking polish banks
This query surfaces devices that were discovered by Microsoft Defender for Endpoint and can be onboarded
YARA rule: chinese_porn
YARA rule: chinese2
YARA rule: chineseporn4
YARA rule: chineseporn5
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse
This query provides the commonality of operating systems seen in the inventory
This query presents statistics on count and percentage of DeviceType out of total inventory
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse
Adversaries may use obfuscated .jse files to deploy
This query finds devices by DeviceType and/or DeviceSubtype
This query surfaces devices that are in a specific IPAddressV4 subnet
This query surfaces devices that are in a specific IPAddressV6 subnet
To evade security software and analyst tools, Nobelium malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them. T
This query looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. This query is not noisy, but most of its results are clean. It can also hs
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu
YARA rule: dowgin
This query looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. File sharing sites such as Dropbox are often used for hosting malware on a reputable
Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning that was ignored by the user. Read more about these events and this hunting approach in this p
This query finds a software by name and/or version
YARA rule: genericSMS
YARA rule: genericSMS2
This query was originally published on Twitter, by @MsftSecIntel. Gootkit is malware that started life as a banking trojan, and has since extended its capabilities to allow for a variety of malicious
This query was originally published in the threat analytics report, Adwind utilizes Java for cross-platform impact. Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capa
Leadbolt
This query was originally published in the threat analytics report, CVE-2020-0601 certificate validation vulnerability. The Windows CryptoAPI Spoofing Vulnerability, CVE-2020-0601, can be exploited to
This query will find applications that have been granted Mail.Read or Mail.ReadWrite permissions in which the corresponding user recently consented to. It can help identify applications that have been
The YARA rule 'marcher_v2' detects a new variant of the Marcher malware family, likely used for
YARA rule: marcher2
YARA rule: marcher3
YARA rule: Metasploit_Payload
This query provides the most common services discovered
This query searches for not onboarded devices with a specific prefix
Query for links opened from mail apps - if a detection occurred right afterwards. As there are many links opened from mails, to have a successful hunt we should have some filter or join with some othe
Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites. To learn more about the download URL info that is available and see other sample queries,. Ch
Identifies potential service tampering related to Microsoft Defender services. Query insprired by Azure Sentinel detection https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Multipl
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has
The hypothesis detects Qakbot malware attempting to self-delete to evade detection, a
This query is using the locations where malicious DLL images are often loaded from by regsvr32.dll and rundll32.exe. Blog: https://threathunt.blog/dll-image-loads-from-suspicious-locations-by-regsvr32
This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. Joins the data to public network events. References: https://threathunt.blog/running-live-mal
This query looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe. Blog: https://threathunt.blog/running-live-malware-f
This rule detects SandroRat
YARA rule: sensual_woman
This query searches for attempts to flush Shimcache, which may indicate anti-forensic or defense evasion activity by an attacker. Author: Vaasudev_Kala Ref: https://blueteamops.medium.com/shimcache-fl
The 'SlemBunk' YARA
This rule detects a kind of SMSFraud trojan
YARA rule: smsfraud2
The 'spyAgent'
Ruleset to detect SpyNetV2 samples.
Yara rule for detection of different Spynote Variants
Looks for suspicious base64 encoded registry keys being created. Author: Jouni Mikkola References: https://threathunt.blog/registry-hunts/
Looks for suspicious addition of command interpreters to windows registry. Author: Jouni Mikkola References: https://threathunt.blog/registry-hunts/
Looks for suspicious keyword additions to windows registry. Author: Jouni Mikkola References: https://threathunt.blog/registry-hunts/
This rule detects tachi apps (not all malware)
Hunt package for 7 IOCs associated with Kimwolf
Hunt package for 3 IOCs associated with Evilginx
Hunt package for 59 IOCs associated with ClearFake
Hunt package for 4 IOCs associated with SmartApeSG
Hunt package for 52 IOCs associated with Unknown malware
Hunt package for 5 IOCs associated with AdaptixC2
Hunt package for 2 IOCs associated with AsyncRAT
Hunt package for 11 IOCs associated with Cobalt Strike
Hunt package for 3 IOCs associated with DCRat
Hunt package for 3 IOCs associated with Meterpreter
Hunt package for 3 IOCs associated with PlugX
Hunt package for 32 IOCs associated with Remcos
Hunt package for 4 IOCs associated with Remus
Hunt package for 2 IOCs associated with Tofsee
Vidar is a data exfiltration malware that steals credentials and sensitive information via remote access, often leveraging stolen credentials for lateral movement. It typically arrives through phishing emails containing malicious URLs or via compromised domains used for command-and-control communication. SOC analysts should monitor for unusual outbound traffic to listed domains
Detection of dendroid trojan
YARA rule: Trojan_Droidjack
This will show Active Directory Security Token Service (STS) refresh token modifications by Service Principals and Applications other than DirectorySync. Refresh tokens are used to validate identifica
Hunt package for 21 malicious URLs tagged as 32-bit
Hunt package for 8 malicious URLs tagged as arm
Hunt package for 3 malicious URLs tagged as ascii
Hunt package for 31 malicious URLs tagged as ClearFake
Hunt package for 14 malicious URLs tagged as elf
Hunt package for 10 malicious URLs tagged as exe
Hunt package for 31 malicious URLs tagged as malware_download
Hunt package for 2 malicious URLs tagged as sh
Rule to detect Viking Order Botnet.
This query was originally published in the threat analytics report, RDP ransomware persists as Wadhrama. The ransomware known as Wadhrama has been used in human-operated attacks that follow a particul
This query was originally published in the threat analytics report, WDigest credential harvesting. WDigest is a legacy authentication protocol dating from Windows XP. While still used on some corporat
This query shows all modifications to highly sensitive active directory groups (also known as Tier 0). An example of these groups include Domain Admins, Schema Admins and Enterprise Admins. More info
BadMirror is Android malware. The malware sends information to its remote CnC (phone number, MAC adddress, list of installed applications...) but it also has the capability to execute a few commands s
This rule try to detects Clicker.G samples
The Android_Copy9 Y
DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries. Detection volumes are moderate, though we consider this a concerning threat
This rule try to detect Dendroid
This rule try to detects Dogspectus
Yara rule for Dogspectus intial ransomware apk
This rule try to detects Android FakeBank_Fanta
This rule will be able to tag all the samples with local exploits.
This query looks for users accessing multiple other users' mailboxes, or accessing multiple folders in another user's mailbox. This query is inspired by an Azure Sentinel detection. Reference - https:
This YARA rule identifies malicious files containing backdoor or dropper functionality used to deploy additional malware. SOC teams should deploy it in endpoint EDR scanning, email gateways, and file share monitoring
YARA rule: Banker_Acecard
http://research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html
This query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep). CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability i
Detects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse
This query will break down hostnames into their second and third level domain parts and analyze the volume of connections made to the destination to look for low count entries. Note that this query is
Dendroid evidences via Droidian service
Dendroid RAT
Dendroid evidences via ServiceReceiver
Device Network Events Involving Low Count FQDNs. This query reduces network events to only those with the RemoteURL column populated,. Then parses the DNS name from the URL (if needed) and finds the l
This query looks for the DGA pattern of the domain associated with the Nobelium campaign, in order to find other domains with the same activity pattern. This query is inspired by an Azure Sentinel det
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu
Looks for a logon domain in the Microsoft Entra ID logs, encoded with the same DGA encoding used in the Nobelium campaign. See Important steps for customers to protect themselves from recent nation-s
This query looks for Entra ID group adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
This query looks for Entra ID role adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
Detects fake facebook applications
YARA rule: fake_facebook
The 'fake_instagram
YARA rule: fake_king_games
YARA rule: fake_market
YARA rule: fake_minecraft
YARA rule: fake_whatsapp
This query looks for file download events identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps. Reference - https://lear
Detect Gamma/FinFisher FinSpy for Android #GovWare
This rule automatically adds certificates present in malware
This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by that same host removing the export within a short time window. This pattern has been observed by att
YARA rule: ibanking
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. It finds all user accounts that have logged on to an endpoint affected by
This query shows attempts to request Kerberos service ticket using the AS service, to monitor Kerberos AS authentications.
Koler.A builds
Koler.A class
Koler.D class
Old Koler.A domains examples
Detects samples repackaged by backdoor-apk shell script
This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread
YARA rule: libyan_scorpions
This query finds the 10 latest logons performed by email recipients within 30 minutes after they received known malicious emails. You can use this query to check whether the accounts of the email reci
This query looks for signs of credential dumping based on process activity instead of targeting process names. Author: Jouni Mikkola More info: https://threathunt.blog/lsass-credential-dumping/
Identifies anomalous increases in Exchange mail items accessed operations. The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increas
This rule detects is to detect a type of banking malware
This query looks for mass downloads identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
This query was originally published in a threat analytics report about the group known to other security researchers as APT32 or OceanLotus This tracked activity group uses a wide array of malicious d
This query was originally published in a threat analytics report about the group known to other security researchers as APT32 or OceanLotus This tracked activity group uses a wide array of malicious d
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
Private Key Files. This query identifies file operation with files having. One of the extensions commonly used to save a private. Key. The risk is that if an attacker were to obtain. The file, they c
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is
Ransomware
Ransomware Test 2
This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Origina
This query was originally published by PWC Security Research Team. BPFDoor is custom backdoor malware used by Red Menshen. The BPFDoor allows an adversary to backdoor a system and remotely execute cod
This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. Robbinhood is ransomware that has been invo
The hypothesis detects Robbin
YARA rule: sandrorat
Hunting query that looks for credential additions or updates on service principals and applications performed by actors (users or apps) that have not been observed initiating the same operations in th
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks
Hunt package for 2 IOCs associated with Evilginx
ClearFake malware is a data exfiltration tool that establishes
KongTuke malware is a downloader that establishes command-and-control (C2) communication via the associated domains to exfiltrate data and deploy additional payloads. It typically arrives through phishing emails containing malicious
Hunt package for 10 IOCs associated with SmartApeSG
Hunt package for 25 IOCs associated with Unknown malware
The "Unknown Webinject" malware
Hunt package for 2 IOCs associated with Cobalt Strike
The Loki Password Stealer (PWS) is a credential-stealing malware that exfiltrates sensitive data such as passwords and browser credentials to command-and-control servers. It typically arrives via phishing emails containing malicious
Lumma Stealer is a data-exfiltration malware that steals sensitive information such as credentials, cookies, and browser data by leveraging compromised systems. It typically arrives via phishing emails or
Hunt package for 2 IOCs associated with Remcos
Hunt package for 3 IOCs associated with SnappyClient
ValleyRAT is a remote access trojan designed for data exfiltration and command-and-control (C2) communication, leveraging encrypted channels to maintain persistence and execute arbitrary payloads. It typically arrives via phishing emails with malicious attachments or exploit kits
Vidar is a data exfiltration malware that steals credentials and sensitive information by leveraging compromised systems to exfiltrate data to command-and-control servers. It typically arrives via phishing emails containing malicious attachments or links to malicious domains and URLs. SOC analysts should monitor for unusual outbound network traffic, unexpected process executions, and signs of credential theft or lateral movement beyond the listed IOCs.
YARA rule: tinhvan
This query looks for Tor client, or for a common Tor plugin called Meek. We query for active Tor connections, but could have alternatively looked for active Tor runs (ProcessCreateEvents) or Tor downl
From static analysis
Search probably apks relationships
From cromosome.py
Hunt package for 27 malicious URLs tagged as 32-bit
Hunt package for 62 malicious URLs tagged as ClearFake
Hunt package for 7 malicious URLs tagged as elf
Hunt package for 7 malicious URLs tagged as malware_download
The Mozi malware family is a backdoor that enables remote command execution and data exfiltration, often used for persistent access and espionage. It typically arrives via phishing emails containing malicious URLs or through compromised websites hosting malicious domains. SOC analysts should monitor
Yara rule for detection of Fake AliPay Sms Stealer
This rule try to detects Spy.Banker AVITO-MMS Variant
This rule try to detects Spy.Banker AVITO-MMS Variant
YARA rule: androrat
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy.yml. Questions via Twitter: @janvonkirchheim.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy_zebrocy.yml. Questions via Twitter: @janvonkirchheim.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_ta17_293a_ps.yml. Questions via Twitter: @janvonkirchheim.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_tropictrooper.yml. Questions via Twitter: @janvonkirchheim.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml. Questions via Twitter: @janvonkirchheim.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml. Questions via Twitter: @janvonkirchheim.
This rule detects apks fom ASSD developer
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread
Search for the files that are using a compromised certificate associated with the Nobelium campaign. You can remove the comments to: 1. get the list of devices where there is at least one file signed
Search for the files that are using a compromised certificate associated with the Lapsus$ group. You can remove the comments to: 1. get the list of devices where there is at least one file signed with
This query was originally published in the threat analytics report, Confluence and WebLogic abuse. 2019 has seen several seemingly related campaigns targeting Atlassian Confluence Server and Oracle We
The YARA rule 'coudw' detects artifacts associated with the malware family 'coudw', likely targeting endpoints or networked systems. SOC teams should deploy this rule in endpoint EDR scanning, email gateway
Detects CVE-2018-4878
CVE-2012-0158 variant
Java Applet JMX Remote Code Execution
This query was originally published in the threat analytics report, Cypherpunk ransomware leaves wake of tampered AVs. Cypherpunk is a human-operated ransomware campaign named after the unusual .cyphe
This query was originally published in the threat analytics report, Cypherpunk ransomware leaves wake of tampered AVs. Cypherpunk is a human-operated ransomware campaign named after the unusual .cyphe
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec
YARA rule: droidian
Look for known Elliptic curve orders
Search for the CVEs that should be prioritized and resolved to reduce the success of the FireEye Red Team tools compromised by the Nobelium activity group. See red_team_tool_countermeasures on the off
This query searches for the HASHs of the FireEye Red Team tools compromised by the Nobelium activity group. See all-hashes.csv on the official FireEye repo. References: https://github.com/fireeye/red_
YARA rule: FlashNewfunction
YARA rule: gtalocker
YARA rule: infostealer
YARA rule: jagonca
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
YARA rule: JavaDeploymentToolkit
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
YARA rule: lenovo_reaper
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
ZLoader was delivered in a campaign in late summer 2021. This campaign was tweeted by @MsftSecIntel on twitter.
YARA rule: marcher
YARA rule: MSIETabularActivex
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
ZLoader was delivered in a campaign in summer 2021 via malvertising. This campaign was tweeted about by @MsftSecIntel on twitter.
YARA rule: pornlocker
YARA rule: potential_CVE_2017_11882
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
Attempts to identify the exploit CVE 2017 11882
Attempts to identify the exploit CVE 2017 11882
SHA-3 (Keccak) round constants
SHA-3 (Keccak) interleaved round constants
Look for SipHash constants in big endian
YARA rule: slocker
ZLoader was delivered in a campaign in late summer 2021 using malvertising to download malicious .msi files onto affected machines. This campaign was originally tweeted by @MsftSecIntel on Twitter. In
YARA rule: thoughtcrime
Identify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC. Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphoru
Identify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC. Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphoru
Identify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC. Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphoru
Hunt package for 3 IOCs associated with Kimwolf
ClearFake malware is designed to ex
Hunt package for 2 IOCs associated with IClickFix
Hunt package for 2 IOCs associated with KongTuke
Hunt package for 5 IOCs associated with SmartApeSG
Hunt package for 34 IOCs associated with Unknown malware
Hunt package for 7 IOCs associated with AsyncRAT
Hunt package for 3 IOCs associated with Cobalt Strike
Hunt package for 3 IOCs associated with DCRat
Hunt package for 16 IOCs associated with Lumma Stealer
Hunt package for 3 IOCs associated with Meterpreter
Hunt package for 22 IOCs associated with Nanocore RAT
Hunt package for 2 IOCs associated with NjRAT
Hunt package for 5 IOCs associated with Phantom Stealer
Quasar
Hunt package for 5 IOCs associated with Remcos
Hunt package for 12 IOCs associated with Remus
SectopRAT is a remote access trojan that enables attackers to exfiltrate data, execute arbitrary commands, and maintain
Hunt package for 2 IOCs associated with ValleyRAT
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels and establishes persistence through scheduled tasks or registry entries. It typically arrives via phishing
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
The YARA rule 'unknown_1' detects potential unknown malware family artifacts, likely indicating suspicious files or behaviors. SOC teams should deploy this rule in endpoint EDR scanning, email gateway, and file share monitoring to identify and contain threats early.
Hunt package for 28 malicious URLs tagged as 32-bit
Hunt package for 4 malicious URLs tagged as BillGates
Hunt package for 49 malicious URLs tagged as ClearFake
Hunt package for 4 malicious URLs tagged as malware_download
Hunt package for 3 malicious URLs tagged as Mozi
This query identifies the launch pattern associated with wastedlocker ransomware. Reference writeup: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
YARA rule: z3core
Microsoft has observed attackers exploiting vulnerabilities associated with Log4J.
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
Aria SBox 2
Look for Base64 table
BigDig bpInit
BigDig mpModExp
BigDig mpModInv
BigDig mpModMult
BigDig mpModulo
BigDig spModExpB
BigDig spModInv
BigDig spModMult
Look for 128-bit key Chacha stream cipher constant
Look for 256-bit key Chacha stream cipher constant
CryptoPP ApplyFunction
CryptoPP Integer constructor
CryptoPP RsaFunction
Look for DCP Blowfish EncryptCBC
Look for DCP Blowfish Init
Look for DCP Des EncryptECB
Look for DCP Des Init
Look for DCP RijnDael EncryptECB
Look for DCP RijnDael Init
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization
Look for Compare string function
Look for Copy function
Look for DecodeDate (DecodeDateFully) function
Look for Form.Show function
Look for IntToStr function
Look for Random function
Look for RandomRange function
Look for StrToInt function
Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J.
Prior to deploying Macaw ransomware in an organization, the adversary will disable all controlled folders, which will enable them to be encrypted once the ransomware payload is deployed.
Dopplepaymer In-Memory Malware Implant. This query identifies processes with command line launch strings. Which match the pattern used in Dopplepaymer ransomware attacks.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_dragonfly.yml. Questions via Twitter: @janvonkirchheim.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_elise.yml. Questions via Twitter: @janvonkirchheim.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_c2.yml. Questions via Twitter: @janvonkirchheim.
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization
This query searches for a string pattern detected in evasive PowerShell usage. Jupyter or SolarMarker will iterate on this pattern multiple times to read data and call additional processes. This query
Use this query to find Excel launching anomalous processes congruent with Qakbot payloads which contain additional markers from recent Qakbot executions. The presence of such anomalous processes indic
FGint RsaSign
Use this query to find attempts to access files in the local path containing Outlook emails.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_hurricane_panda.yml. Questions via Twitter: @janvonkirchheim.
The following query can locate activity possibly associated with the EUROPIUM threat actor
This query looks for Microsoft Defender Antivirus detections related to EUROPIUM actor
This query looks for identity add through exchange PowerShell
Directly prior to deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools.
Prior to deploying Macaw ransomware in an organization, the adversary will disable several tools and functions in order to inhibit later recovery efforts.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml. Questions via Twitter: @janvonkirchheim.
'This query looks for Microsoft Defender Antivirus detections with the family names used by KNOTWEED'
'This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\'
'This query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections'
'This query looks for new files being downloaded using Curl.'
'This query identifies matches based on KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables'
'This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\'
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LockBox DecryptRsaEx
LockBox EncryptRsaEx
LockBox RsaEncryptFile
LockBox TlbRsaKey
Backdoor processes associated with OceanLotus Mac Malware Backdoor. References:. Https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/. OS platform
Backdoor processes associated with OceanLotus Mac malware backdoor dropper. References:. Https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/. OS
Prior to deploying Macaw ransomware in an organization, adversaries will change the password for hundreds or thousands of accounts in order to lock users out of the network and impeded recovery effort
Miracl Big constructor
Miracl mirsys init
Miracl mirvar
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_oceanlotus_registry.yml. Questions via Twitter: @janvonkirchheim.
OpenSSL BN_mod_exp_inverse
OpenSSL BN_mod_exp_mont
OpenSSL BN_mod_exp_recp
OpenSSL BN_mod_exp_simple
OpenSSL BN_mod_exp2_mont
YARA rule: OpenSSL_DSA
YARA rule: pkcs8_private_key_information_syntax_standard
Prior to deploying Macaw ransomware in an organization, adversaries wil use Attrib to display file attribute information on multiple drives and all subfolders.
Qakbot operators have been abusing the Craigslist messaging system to send malicious emails. These emails contain non-clickable links to malicious domains impersonating Craigslist, which the user is i
Use this query to find email stealing activities ran by Qakbot that will use "ping.exe -t 127.0.0.1" to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indi
Use this query to find email stealing activities ran by Qakbot that will use "ping.exe -t 127.0.0.1" to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indi
Use this query to find reconnaissance and beaconing activities after code injection occurs. Reconnaissance commands are consistent with the current version of Qakbot and occur automatically to exfiltr
Find use of Alternate Data Streams (ADS) for anti-forensic purposes. Alternate Data Streams execution.
Adversaries are likely attempting to delete backup files in healthcare environments to eliminate recovery options
// Look for cipher.exe deleting data from multiple drives. This is often performed as an anti-forensic measure prior to encryption.
// Look for attempts to use fsutil.exe to delete file system logs that can be used as forensic artifacts.
Identify accounts that have logged on to affected endpoints. Check for specific alerts.
Find distinct evasion and execution activities. Associated with the Robbinhood ransomware campaign.
Find attempts to stop System Restore and. Prevent the system from creating restore points.
Locate vulnerable Gigabyte drivers used by RobbinHood ransomware to turn off security tools.
RijnDael AES
RijnDael AES (check2) [char]
RijnDael AES S-inv [char]
RsaEuro NN_modInv
RsaEuro NN_modMult
RsaRef2 NN_modExp
RsaRef2 NN_modInv
RsaRef2 NN_modMult
RsaRef2 RsaPrivateDecrypt
RsaRef2 RsaPrivateEncrypt
RsaRef2 RsaPublicDecrypt
RsaRef2 RsaPublicEncrypt
'This query identifies matches based on domain IOCs related to Star Blizzard against Microsoft Defender for Endpoint device network connections'
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization
Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing identifiable strings in PowerShell commands.
Attackers may use unconventional PowerShell curl flags
Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing the ws_TomcatService.exe process to launch malicious processes.
Hunt package for 95 IOCs associated with ClearFake
Hunt package for 3 IOCs associated with KongTuke
Hunt package for 8 IOCs associated with SmartApeSG
Hunt package for 100 IOCs associated with Unknown malware
Hunt package for 5 IOCs associated with Unknown RAT
Hunt package for 3 IOCs associated with Amadey
Hunt package for 6 IOCs associated with Cobalt Strike
Hunt package for 2 IOCs associated with Lumma Stealer
Hunt package for 5 IOCs associated with Nanocore RAT
Hunt package for 9 IOCs associated with Remcos
The Stealc malware is a data exfiltration tool designed to steal sensitive information such as credentials and system data from infected hosts. It typically arrives via phishing emails or malicious websites containing malicious URLs that download and execute the payload. SOC analysts should monitor for unusual outbound traffic patterns, unexpected data transfers, and signs of lateral movement or command-and-control communication beyond the identified URLs.
Hunt package for 2 IOCs associated with ValleyRAT
Hunt package for 4 IOCs associated with Vidar
Look for Random function
Hunt package for 17 malicious URLs tagged as 32-bit
Hunt package for 8 malicious URLs tagged as arm
Hunt package for 51 malicious URLs tagged as ClearFake
Hunt package for 18 malicious URLs tagged as elf
Hunt package for 3 malicious URLs tagged as malware_download
Hunt package for 4 malicious URLs tagged as mirai
Hunt package for 2 malicious URLs tagged as Mozi
Hunt package for 12 malicious URLs tagged as ua-wget
Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2.
Look for Random function
Look for Random function
YARA rule: x509_public_key_infrastructure_cert
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitra
This query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using t
This query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using t
Sample query that search for .settingcontent-ms that has been downloaded from the web. Through Microsoft Edge, Internet Explorer, Google Chrome, Mozilla Firefox, Microsoft Outlook. For questions @Mila
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_babyshark.yml. Questions via Twitter: @janvonkirchheim.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_apt29_thinktanks.yml. Questions via Twitter: @janvonkirchheim.
Bazacall malware uses emails that contain a phone number for the user to call in order to cancel a fake subscription. These emails contain no links or attachments, and use automatic payment lures to t
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_bear_activity_gtr19.yml. Questions via Twitter: @janvonkirchheim.
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_cloudhopper.yml. Questions via Twitter: @janvonkirchheim.
Microsoft has observed Bazacall using Cobalt Strike in order to move laterally to other machines on the network.
DES [long]
DES [pbox] [long]
DES [sbox]
This is a query to retrieve last 30 days network connections to known Dofoil NameCoin servers. The full article is available here: https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-d
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Ex
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Ex
Bazacall uses malicious macro-enabled Excel documents to execute their payload.
FGint Base256StringToGInt
FGint ConvertBase256StringToHexString
FGint ConvertBase256to64
FGint ConvertHexStringToBase256String
FGint DSAPrimeSearch
FGint DSASign
FGint DSAVerify
FGint ECAddPoints
FGint ECElGamalEncrypt
FGint ECPointDestroy
FGint ECPointKMultiple
FGint FGIntToBase256String
FGint FindPrimeGoodCurveAndPoint
FGint PGPConvertBase256to64
FGint RsaDecrypt
FGint RSAEncrypt
FGint RSAVerify
Bazacall uses malicious Excel files to execute payloads on affected devices.
Microsoft has observed compromises related to Bazacall resulting in theft of the Active Directory database using ntdsutil.exe.
Microsoft has observed Bazacall using a renamed version of Rclone for data exfiltration.
During the chain of events from Bazacall to Bazaloader, RunDLL makes several network connections, including to command and control (C2) infrastructure. The command line for these connections contains
The "Stolen Images" Bazarloader campaign uses fake copyright infingement contact form emails and malicious files pretending to contain "stolen images" to trick users into downloading the malware.
Hunt package for 103 IOCs associated with ClearFake
Hunt package for 7 IOCs associated with KongTuke
Hunt package for 6 IOCs associated with Unknown malware
Hunt package for 2 IOCs associated with Lumma Stealer
Hunt package for 6 IOCs associated with Nanocore RAT
Quasar RAT is
StrelaStealer is a credential-stealing malware that exfiltrates sensitive data, including passwords and browser cookies, by establishing covert communication with command-and-control servers. It typically arrives via phishing emails containing malicious links or compromised websites that deploy the malware through exploit kits or malicious attachments. SOC analysts should monitor for lateral movement indicators, unusual outbound traffic patterns
Hunt package for 16 IOCs associated with Vidar
Hunt package for 47 malicious URLs tagged as 32-bit
ClearFake is a malware family that primarily functions as a data exfiltration tool, leveraging command-and-control (C2) communication to
Hunt package for 3 malicious URLs tagged as malware_download
The Mozi malware family is a downloader that establishes command-and-control (C2) communication to exfiltrate data and deploy additional payloads. It typically arrives via phishing emails or malicious websites leveraging
In the campaign where Bazarloader is delivered via emails containing pw protected zip attachments, regsvr32.exe is used to launch a malicious payload that is disguised as a JPG file.
The pw protected zip attachment -> Word doc delivery method of Bazarloader utilizes Word to create an .hta file and launch it via MSHTA to connect to a malicious domain and pull down the Bazarloader p
This query offers daily categorization of ASR rules, helping SOC analysts monitor specific categories like office-related activities or WMI among the 16 rules. It aids in tracking detection rates and
'Under specific circumstances, executing KQL queries can exfiltrate information like access tokens, regarding external data functions like adx(). This query tries to list executed KQL queries that use
'This hunting query looks for increases in the number of workspaces queried by a user.'
CryptoPP a_exp_b_mod_c
CryptoPP modulo
FGint Base10StringToGInt
FGint FGIntDivMod
FGint FGIntDestroy
FGint FGIntModExp
FGint MontgomeryModExp
FGint MulByInt
'This hunting query identifies GitHub activites its the first time a user deleted a repo that may be a sign of compromise.'
'This hunting query identifies Accounts that are new or inactive and have accessed or used GitHub that may be a sign of compromise.'
'This hunting query identifies GitHub activites where there are a large number of deletions that may be a sign of compromise.'
'This hunting query identifies GitHub OAuth Apps that have restrictions disabled that may be a sign of compromise. Attacker will want to disable such security tools in order to go undetected. '
'Attacker can exfiltrate data from your GitHub repository by cloning it. This hunting query tracks clone activities for each repository, allowing quick identification of anomalies/excessive clones to
Adversaries may exploit GitHub's public access to exfiltrate sensitive data or distribute malicious code by converting private repositories to public, leveraging the platform's visibility for covert operations. SOC teams should proactively
'This hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise.'
'This hunting query identifies Accounts in GitHub that have granted access to another account which then grants access to yet another account that may be a sign of compromise.'
Looks for MD5 API
Look for MD5 constants
Miracl crt
Miracl powmod
'This hunting query looks for users who are running multiple queries that return either a very large amount of data or the maximum amount allowed by the query method.'
'This hunting query looks for clients running queries that have not previously been seen running queries.'
'This hunting query looks for new Service Principals running queries that have not previously been seen running queries.'
'This hunting query looks for users who have run queries calling a watchlist template relating to sensitive data that have not previously been seen calling these watchlists.'
'This hunting query looks for users who have run queries that have not previously been seen running queries.'
'This hunting query looks for anomalously large LA queries by users.'
'This hunting query looks for queries that appear to be looking for secrets or passwords in tables.'
The RC6_Constants rule detects binaries containing RC6 encryption constants, which may indicate malicious activity leveraging the RC6 cipher.
Look for RIPEMD-160 constants
Look for SHA1 constants
Look for SHA2/BLAKE2/Argon2 IVs
Look for SHA384/SHA512 constants
Look for TEA Encryption
Hunt package for 3 IOCs associated with Kimwolf
The Mirai malware family compromises IoT devices by exploiting default credentials and weak security configurations, turning them into bots for large-scale DDoS attacks. It typically arrives via network exploitation, leveraging un
Hunt package for 77 IOCs associated with ClearFake
Hunt package for 2 IOCs associated with FAKEUPDATES
The KongTuke malware is a data exfiltration tool that establishes
Hunt package for 36 IOCs associated with Unknown malware
The Havoc malware family is designed for data exfiltration and persistence, often leveraging encrypted communication channels to steal sensitive
Hunt package for 20 IOCs associated with Lumma Stealer
Hunt package for 7 IOCs associated with Quasar RAT
StrelaStealer is a credential-stealing malware that exfiltrates sensitive data such as usernames,
Hunt package for 3 IOCs associated with ValleyRAT
Vidar is a data exfiltration malware
The "32-bit" malware
Hunt package for 38 malicious URLs tagged as ClearFake
Hunt package for 3 malicious URLs tagged as malware_download
Hunt package for 9 malicious URLs tagged as Mozi
'This hunting query looks for users whose total returned data that is significantly above their average.'
'This hunting query looks for users who have multiple failed queries in a short space of time.'
Look for WhirlPool constants
'Threat actors can use JPEG files to hide malware, or other malicious code from inspection. This query looks for the downloading of abnormally large JPEG files from a source where large JPEG files hav
Looks for advapi API functions
'This query look for users starting an Azure CloudShell session and summarizes the Azure Activity from that user account during that timeframe (by default 1 hour). This can be used to help identify ab
'This hunting query will identify where a file is uploaded to Azure File or Blob storage and is then accessed once before being deleted. This activity may be indicative of exfiltration activity.'
'This hunting query will try to identify instances where a file us uploaded to file storage and then deleted within a given threshold. By default the query will find instances where a file is uploaded
'Looks for file uploads actions to Azure File and Blob Storage from known VPS provider network ranges. This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent provi
'Detect mass file deletion events within Azure File and Blob storage. deleteWindow controls the period of time the deletions must occur in, whilst the deleteThreshold controls how many files must be d
Looks for big numbers 20:sized
Detects 32-bit numeric values that may indicate obfuscation
Looks for big numbers 48:sized
Looks for big numbers 64:sized
Looks for big numbers 128:sized
Looks for big numbers 256:sized
Look for Blowfish constants
'Discover all critical ports from a list having rules like 'Any' for sourceIp, which means that they are opened to everyone. Critial ports should not be opened to everyone, and should be filtered.'
'This query looks at the last 14 days for "Consent to application" operation by a user/app which could potentially mean unauthorized access. Additional context is added from AuditLogs based on Corrlea
Look for CRC16 table
Look for CRC32 [poly]
Look for CRC32 table
CRC32 table lookup
Look for CRC32b [poly]
Look for CRC32c (Castagnoli) [poly]
Looks for crypt32 CryptBinaryToStringA function
"This Kusto (KQL) hunting query detects blob-enumeration or file-spraying behaviour in Azure Storage by: - Aggregating requests into time-bound sessions with row_window_session(). - Defining a "us
Look for ElfHash
Look for FlyUtils.CnDES Decrypt ECB function
Look for FlyUtils.CnDES Encrypt ECB function
'This hunting query identifies a user that add/invite a member to the organization for the first time. This technique can be leveraged by attackers to add stealth account access to the organization.'
'This query will look for events where guest user was invited but has not accepted/redeemed invite for unusually longer period. Any invites not redeemed for longer period of time can be misused and
'Detects observed Visual Studio Code (VS Code) extension installation activity on a user's system within the query time range. Note: This query does not return a complete per-user inventory of instal
"This query searches for any action type with high frequency that involves adding, modifying, or removing something in cloud app policies. It sees where the properties are modified such that the old v
'This hunting query looks in Azure Web Application Firewall data to find possible SpringShell Exploitation Attempt (CVE-2022-22965). The Spring Framework is one of the most widely used lightweight op
List of primes [char]
List of primes [long]
'Compares the current day to last 14 days of audits to identify new audit activities. Useful for tracking malicious activity related to user/group additions/removals by Azure Apps and automated approv
'Compares current day to last 14 days of audits to identify new audit activities. Useful for tracking malicious activity related to user/group additions/removals by specific users.'
'Finds instances where a file uploaded to blob or file storage and it is seen on an endpoint by Microsoft Defender XDR.'
Hunt package for 5 IOCs associated with Kimwolf
Hunt package for 112 IOCs associated with ClearFake
Hunt package for 2 IOCs associated with KongTuke
Hunt package for 3 IOCs associated with OtterCookie
Hunt package for 44 IOCs associated with Unknown malware
Hunt package for 3 IOCs associated with Cobalt Strike
Hunt package for 2 IOCs associated with Nanocore RAT
Hunt package for 2 IOCs associated with Remcos
SmartLoader is a multi-stage loader malware that establishes persistence and exfiltrates data by dropping additional payloads and maintaining command-and-control communication
StrelaStealer is a credential-stealing malware that exfiltrates
Vidar is a data exfiltration malware that steals credentials and sensitive information, often using encrypted channels to transmit stolen data to command-and-control servers.
Hunt package for 37 malicious URLs tagged as 32-bit
Hunt package for 24 malicious URLs tagged as ClearFake
Hunt package for 24 malicious URLs tagged as malware_download
Hunt package for 14 malicious URLs tagged as Mozi
'This hunting query will try to identify the user account used to perform a file upload to blob storage. This query can be used to match all file upload events, or filtering can be applied on filename
'Identifies when a new user is granted access and any subsequent audit related activity. This can help you identify rogue or malicious user behavior.'
'Detects when a user has successfully authenticated to another Microsoft Entra ID tenant with an identity in your organization's tenant. Ref: https://docs.microsoft.com/azure/active-directory/fundam
'Identifies accounts that have been added to a PIM managed privileged group'
'Identifies modifications to user's MFA settings. An attacker could use access to modify MFA settings to bypass MFA requirements or maintain persistence.
This query shows details about all approved Entra ID Governance Access Packages assignments. The results include the time the request was created and approved along with the justification text provide
'Looks for users retrieving BitLocker keys. Enriches these logs with a summary of alerts associated with the user accessing the keys. Use this query to start looking for anomalous patterns of key retr
'This detection looks the prevention of crash dumps being created. This can be used to limit reporting by malware, look for suspicious processes setting this registry key.'
Steal IE 7 credential
'breakdown of scripts running in the environment'
'Entropy calculation used to help identify Hosts where they have a high variety of processes(a high entropy process list on a given Host over time). This helps us identify rare processes on a given Ho
'Finds attempts to list users or groups using the built-in Windows 'net' tool '
'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by that same host removing the export within a short time window. This pattern has been observed by at
'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to
YARA rule: ldpreload
APC queue tasks migration
This rule checks MySQL database presence
'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell. Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1'
'This hunting query identifies updates to the RequiredResourceAccess property of an OAuth application. This property specifies resources that an application requires access to and the set of OAuth per
'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activi
'Finds PowerShell execution events that could involve a download'
The 'rat_rdp
The 'rat_telnet' YARA rule detects the presence of a Remote Administration
Remote Administration toolkit VNC
Remote Administration toolkit using webcam
'This detection uses Normalized Process Events to hunt Signed Binary Proxy Execution: Rundll32 activities'
Sniff Lan network traffic
'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection inf
Malware can spread east-west file
Malware can spread east-west using share drive
Match Windows Http API call
Match Windows Inet API call
Match Windows Inet API library declaration
Match Winsock 2 API library declaration
'Summarizes uses of uncommon & undocumented commandline switches to create persistence User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/T
Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query
Hunt package for 113 IOCs associated with ClearFake
Hunt package for 4 IOCs associated with KongTuke
Hunt package for 43 IOCs associated with Unknown malware
Cobalt Strike is a sophisticated malware used for command and control (C2) operations, enabling attackers
The Lumma Stealer malware is a data-exfiltration tool that steals sensitive information such as credentials, browser data, and cryptocurrency wallet details. It typically arrives via phishing emails containing malicious URLs or compromised websites that deliver the payload. SOC analysts should monitor for unusual outbound traffic, unexpected process executions, and signs of credential theft or
Hunt package for 2 IOCs associated with MaskGramStealer
StrelaStealer is a credential-stealing malware that exfiltrates sensitive data such as usernames, passwords, and browser cookies by establishing command-and-control (C2) communication through malicious domains. It
Vidar malware is a data exfiltration tool that steals credentials and sensitive information via encrypted channels, often leveraging stolen credentials or phishing to maintain persistence. It typically arrives through malicious email attachments, compromised credentials, or exploit kits, using IP:port and URL IOCs to establish command-and
'Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!) These new processes could be benign new programs installed on ho
Hunt package for 3 malicious URLs tagged as 118-107-44-190-8080
Hunt package for 3 malicious URLs tagged as 118-107-44-213-8080
Hunt package for 3 malicious URLs tagged as 118-107-44-253-8080
Hunt package for 15 malicious URLs tagged as 144-91-86-92
Hunt package for 6 malicious URLs tagged as 32-bit
Hunt package for 5 malicious URLs tagged as 38-76-199-154-8888
Hunt package for 2 malicious URLs tagged as ascii
Hunt package for 7 malicious URLs tagged as ClearFake
Hunt package for 29 malicious URLs tagged as malware_download
Hunt package for 11 malicious URLs tagged as mirai
Hunt package for 13 malicious URLs tagged as Mozi
Affect private profile
Create or check mutex
Affect private profile
Affect system registries
Affect system token
'This detection uses Normalized Process Events to detect System Shutdown/Reboot (MITRE Technique: T1529)'
This query identifies Copilot Studio AI agents that have Model Context Protocol (MCP) tools configured. MCP tools extend agent capabilities but introduce additional security considerations because the
This query identifies AI agents whose owners are either disabled or removed from the organization. Orphaned agents without an active owner pose governance and security risks because no one is account
This query identifies AI agents that remain unpublished and have not been modified for at least 30 days. While these agents may not pose an immediate security threat, they can create operational inef
Perform crypto currency mining
Inject certificate in store
'This detection uses Normalized Process Events to hunt Certutil activities'
This query identifies Copilot Studio AI agents that are published and contain actions configured with Author Authentication (maker`s personal credentials) but have not been used or invoked in the last
This query identifies Copilot Studio AI agents that contain hard-coded credentials in Topics or Actions. Storing credentials in clear text within agent logic creates a security risk because these sec
This query identifies Copilot Studio AI agents that use HTTP actions to endpoints where Power Platform connectors are available (e.g., graph.microsoft.com, management.azure.com). Using direct HTTP ca
This query identifies Copilot Studio AI agents that send HTTP requests to endpoints using non-HTTPS schemes. Communication over unencrypted HTTP exposes sensitive data in transit and increases the ri
This query identifies Copilot Studio AI agents that send HTTP requests to endpoints using non-standard ports (other than 443). Communication over uncommon ports can indicate suspicious activity, unau
Identifies Copilot Studio AI agents with Model Context Protocol (MCP) tools configured using maker credentials. This configuration can create security risks because the tool runs with the maker`s pers
This query identifies Copilot Studio AI agents without authentication mechanisms. Authentication is an agent-level configuration. Such misconfiguration poses significant security risks because when t
This query identifies Copilot Studio AI agents that are shared broadly-either with the entire organization or configured for multi-tenant access. Such configurations significantly increase the risk of
This query identifies Copilot Studio AI agents that are published and use the maker`s personal credentials in their authentication or integration flows. This configuration introduces security risks b
This query identifies Copilot Studio AI agents that are published but have not been used by any user in the organization for the last 30 days. Dormant agents can create unnecessary exposure and may s
Advers
This query identifies Copilot Studio AI agents configured to send emails to external mailboxes (outside the organization`s domains). Such configurations can lead to sensitive or internal data being e
This query identifies Copilot Studio AI agents with classic orchestration that include Actions not referenced in any Topic. While unused Actions may not pose an immediate security risk, they can intr
Steal Firefox credential
Steal credential
Steal VNC credential
' This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation ac
'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware de
Dynamic DNS
Escalade priviledges
'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell. Whilst this is a legitimate administrative tool it is abused by attackers to performs
Run a keylogger
Lookup Geolocation
Lookup external IP
Communication using dga
Communications use DNS
File downloader/dropper
Communications over FTP
Communications over HTTP
Communications over IRC network
Communications over SSL
Communications over RAW socket
Take screenshot
Record Audio
Hunt package for 6 IOCs associated with Kimwolf
Hunt package for 107 IOCs associated with ClearFake
Hunt package for 6 IOCs associated with Unknown malware
Hunt package for 4 IOCs associated with Unknown Stealer
Hunt package for 2 IOCs associated with Remcos
Hunt package for 66 IOCs associated with StrelaStealer
Hunt package for 6 IOCs associated with Vidar
Hunt package for 21 malicious URLs tagged as 32-bit
Hunt package for 30 malicious URLs tagged as ClearFake
Hunt package for 18 malicious URLs tagged as elf
Hunt package for 10 malicious URLs tagged as exe
Hunt package for 12 malicious URLs tagged as malware_download
The Mozi malware family is a backdoor that enables remote command execution and data exfiltration, often used for persistent access and espionage. It typically arrives via phishing emails containing malicious URLs or through compromised websites hosting malicious domains. SOC analysts should monitor for unusual outbound traffic to listed domains, signs of lateral movement,
This query identifies A365 AI agents that contain hard-coded credentials in their tools or actions. Storing credentials in clear text within agent logic creates a security risk because these secrets
This query identifies A365 AI agents that send HTTP requests to endpoints using non-HTTPS schemes. Communication over unencrypted HTTP exposes sensitive data in transit and increases the risk of inte
This query identifies A365 AI agents that send HTTP requests to endpoints using non-standard ports (other than 443). Communication over uncommon ports can indicate suspicious activity, unauthorized n
This query identifies A365 AI agents that have Model Context Protocol (MCP) tools configured. MCP tools extend agent capabilities but introduce additional security considerations because they can exec
This query identifies A365 AI agents that have tools configured but they are not mentioned in instructions. This query identifies A365 AI agents that have tools configured but are not mentioned in in
This query identifies A365 AI agents whose owners are either disabled or removed from the organization, and are not blocked. Orphaned agents without an active owner pose governance and security risks
This query identifies A365 AI agents that are shared publicly. Such configurations significantly increase the risk of unauthorized access by unintended users, which could lead to data exposure or misu
This query identifies A365 AI agents that are published but have short or insufficient instructions. Short instructions increase the risk of prompt injection attacks, where malicious input can influe
This query identifies A365 AI agents that are published but lack configured instructions. Missing instructions increase the risk of prompt injection attacks, where malicious input can influence the a
Check if hotfix are applied
This query identifies Copilot Studio AI agents using generative orchestration to send emails via the Outlook connector where all action input values are populated dynamically by the orchestrator. Th
Create a COM server
Create a new process
Create a windows service
Bypass DEP
Disable Task Manager
'This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. This query uses the Exchange HttpProxy
'This query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which ev
'This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.'
'Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server. This could be indicative of attempted port scanning or exploit attempt at internet facing we
'Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server. This could be indicative of attempted brute force based on known account information. This could als
Hijack network configuration
Code injection with CreateRemoteThread in a remote process
Communications dyndns network
Communications over P2P network
Communications smtp
Communications smtp
Communications smtp
Listen for incoming communication
Communications over TOR network
Communications over Toredo network
Communications over UDP network
Install itself for autorun at Windows startup
'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors. The same query can be run on HTTPProxy logs from on-premise hosted Exchange se
'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the t
'Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. Adjust the threshold figure to change the number of channels a message needs to be
Hunt package for 124 IOCs associated with ClearFake
Hunt package for 12 IOCs associated with Unknown malware
Hunt package for 25 IOCs associated with Unknown Loader
Hunt package for 9 IOCs associated with Unknown Stealer
Hunt package for 10 IOCs associated with Nanocore RAT
Hunt package for 2 IOCs associated with Remcos
Hunt package for 5 IOCs associated with ValleyRAT
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels, often targeting financial institutions and using persistence mechanisms to maintain long-term access.
Hunt package for 44 malicious URLs tagged as 32-bit
Hunt package for 40 malicious URLs tagged as ClearFake
Hunt package for 9 malicious URLs tagged as malware_download
Hunt package for 2 malicious URLs tagged as mirai
Hunt package for 5 malicious URLs tagged as Mozi
'The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in. You can also whitelist known good time zones in the tz_whitelist value using the tz data
Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.
Affect hook table
'This alerts when end to end encryption is disabled for Zoom meetings.'
'Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.'
'Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccount
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal. Single factor authentications pose an opportunity to access compromised accounts, inve
'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.'
Checks if being debugged
Checks for the presence of known debug tools
Anti-Sandbox checks for Anubis
Anti-Sandbox checks for CWSandbox
Anti-Sandbox checks for Joe Sandbox
Anti-Sandbox checks for Sandboxie
Anti-Sandbox checks for ThreatExpert
AntiVM checks for Bios version
AntiVM checks for VirtualBox
AntiVM checks for VMWare
Detects when there is a login attempt from a country that has not seen a successful login in the previous 14 days. Threat actors may attempt to authenticate with credentials from compromised accounts
'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days. Privileged accounts are a key target f
YARA rule: Check_FindWindowA_iat
YARA rule: Check_OutputDebugStringA_iat
YARA rule: check_RaiseException_iat
YARA rule: Check_unhandledExceptionFiler_iat
Anti-debug process memory working set size check
Disable AntiVirus
Disable Firewall
Disable Registry editor
Disable User Access Control
'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.'
'Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server. This could be indicative of an attempted brute force. This could also simply indicate a misconfi
'Identifies an interrupted sign-in session from a country the user has not sign-in before in the last 7 days, where the password was correct. Although the session is interrupted by other controls such
'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.'
'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days. Monitor these logons to ensure they are legitimate and identify if there are any similar sign
'Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days. Threat actors may attempt to authenticate with credentials from
'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query check
'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/
'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targetin
'Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be conf
Hunt package for 163 IOCs associated with ClearFake
Hunt package for 4 IOCs associated with KongTuke
Hunt package for 2 IOCs associated with Unknown malware
Hunt package for 2 IOCs associated with StrelaStealer
Hunt package for 28 IOCs associated with Vidar
Hunt package for 36 malicious URLs tagged as 32-bit
Hunt package for 11 malicious URLs tagged as 45-156-87-194
Hunt package for 37 malicious URLs tagged as ClearFake
Hunt package for 2 malicious URLs tagged as elf
Hunt package for 3 malicious URLs tagged as malware_download
The Mirai malware family is a botnet that compromises IoT devices to launch large-scale DDoS
Hunt package for 8 malicious URLs tagged as Mozi
'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an exp
'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.'
'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.'
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and helps users manage configu
'This detection uses Security events from the "AD FS Auditing" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes. T
'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. AdminSDHolder Modification is a persistence technique in which an attac
YARA rule: Check_Debugger
YARA rule: Check_Dlls
YARA rule: Check_DriveSize
The 'Check_FilePaths
YARA rule: Check_Qemu_Description
YARA rule: Check_Qemu_DeviceMap
YARA rule: Check_UserNames
YARA rule: Check_VBox_Description
The 'Check_VBox_DeviceMap' rule detects potential malicious activity involving VirtualBox device mapping, such as unauthorized device redirection or suspicious
YARA rule: Check_VBox_Guest_Additions
YARA rule: Check_VBox_VideoDrivers
The 'Check_VmTools' YARA rule detects artifacts associated with virtual machine tools, which may indicate evasion techniques or malicious activity in virtualized environments
YARA rule: Check_VMWare_DeviceMap
YARA rule: Check_Wine
'This query uses Sysmon Image Load (Event ID 7) and Process Create (Event ID 1) data to look for COM Event System being used to load a newly seen DLL.'
YARA rule: DebuggerPattern__CPUID
YARA rule: DebuggerPattern__SEH_Inits
YARA rule: DebuggerPattern__SEH_Saves
'This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory. Ref: https://adsecurity.org/?p=1785'
'This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID
'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is
'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. T
'This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent. This detection requires an access control entry (AC
'This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra ID Health service agents (e.g AD FS). Information from AD H
'This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-
'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a
'Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days. Connections from the same system with the same account within the same day
'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object
'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. More details:
'A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service acc
'Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonTyp
'Query detects potential lateral movement within a network by identifying when an RDP connection (EventID 4624, LogonType 10) is made to an initial system, followed by a subsequent RDP connection from
YARA rule: SEH_Init
YARA rule: SEH_Save
'Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearl
Hunt package for 3 IOCs associated with Mirai
Hunt package for 63 IOCs associated with ClearFake
Hunt package for 7 IOCs associated with AMOS
Hunt package for 7 IOCs associated with Unknown malware
The "Unknown Loader" malware is a downloader that
The "Unknown Stealer" malware is a data-exfiltration
Hunt package for 2 IOCs associated with AsyncRAT
Hunt package for 2 IOCs associated with Nanocore RAT
Hunt package for 15 IOCs associated with NetSupportManager RAT
Hunt package for 87 IOCs associated with Vidar
Hunt package for 26 malicious URLs tagged as 32-bit
Hunt package for 26 malicious URLs tagged as ClearFake
Hunt package for 30 malicious URLs tagged as elf
Hunt package for 7 malicious URLs tagged as Mozi
Hunt package for 2 malicious URLs tagged as sh
Hunt package for 7 malicious URLs tagged as ua-wget
Possibly employs anti-virtualization techniques
'This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances afte
Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifica
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine. NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory un
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
Detects execution of the hacktool NetExec. NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration In enterpri
'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) an
'This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.<br>You can add custom crypto mining
'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Ag
'This rule identifies a web request with a user agent header known to belong PowerShell. <br>You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer t
'This query looks for an account being created from a domain that is not regularly seen in a tenant. Attackers may attempt to add accounts from these sources as a means of establishing persistant ac
'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account. A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requiremen
'Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://cloud.go
'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where
'Identifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts'
'Identifies a match for SQL Injection attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement. References: https://owasp.o
'Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement. References: https://owasp.org/www-pro
'Detects changes to an Application ID URI. Monitor these changes to make sure that they were authorized. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-app
'Detects the redirect URL of an app being changed. Applications associated with URLs not controlled by the organization can pose a security risk. Ref: https://docs.microsoft.com/azure/active-direc
'Identifies if an AV scan fails in Azure App Services.'
'Identifies if an AV scan finds infected files in Azure App Services.'
This detects attempts to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in di
'This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query join
'This query looks for Microsoft Defender AV detections related to Europium actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query join
'This query looks for Microsoft Defender AV detections related to Hive Ransomware. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins
'This query looks for diagnostic settings that are removed from a resource. This could indicate an attacker or malicious internal trying to evade detection before malicious act is performed. If the di
'Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.'
'Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique. The uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it impo
'Detects changes to an applications sign out URL. Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session. Ref
'Detects changes to the ownership of an appplicaiton. Monitor these changes to make sure that they were authorized. Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-ap
'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings. Monitor these changes to ensure they are being made legitimately and don't confer
'Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins. Because the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potenti
'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.'
'Detects first connection to an unpopular website (possible malicious payload delivery).'
'Detects suspicious user agent strings used by crypto miners in proxy logs.'
'Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.'
'Detects suspicious user agent strings used by known hack tools'
'Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.'
'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
'Malware can use IP address to communicate with C2.'
'Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.'
'This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\. This can be used to enable COM hijacking for persistence. Ref: https://www.microso
'Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days. A threat actor may try to modify policies to weaken the security controls in place.
'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths. This detecton will alert when over 20 sequences are observed in a single day.'
'CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.'
'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Microsoft Entra ID (Azure AD) organization. This query will help detect attackers attempts to dis
'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossi
'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. Th
'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of rans
This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indica
'Detects a user's consent to an OAuth application being blocked due to it being too risky. These events should be investigated to understand why the user attempted to consent to the applicaiton and
'Identifies a match across various data feeds for hashes and IP IOC related to Europium Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-t
'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviou
'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Microsoft Entra ID logons from these IPs with
'Identifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Microsoft Entra ID. Uses that list to identify any successful AWS Console logons from these IPs with
'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID. Uses that list to identify any successful remote logons to hosts from these IPs
'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Microsoft Entra ID from these IPs w
'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality suc
'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon Event
'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days. Monitoring guest accounts and the access they are provided is important to detect
'It is possible that a disabled user account is compromised and another account on the same IP is used to perform operations that are not typical for that user. The query filters the SigninLogs for e
'The query below identifies powershell commands used by the threat actor Mango Sandstorm. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-u
'This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query joins with DeviceNetworkEvents to idnetify any machi
This query creates a list of IP addresses with the number of failed login attempts to Entra ID above a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any
'Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-iss
'This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network de
'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.'
'Identifies a match across various data feeds for domains, hashes and IP IOC related to Mercury Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabiliti
'This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. In Microsoft Sentinel, the SecurityAlerts tabl
'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'
'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and cer
'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've b
'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from mu
Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vu
'This query looks for writes of PE files to C:\Windows\System32\spool\drivers\color\. This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the f
'The purpose of this content is to identify successful phishing links accessed by users. Once a user clicks on a phishing link, we observe successful network activity originating from non-Microsoft ne
'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are d
'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points tha
'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process
'This query looks for file hashes and AV signatures associated with Prestige ransomware payload.'
'This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server'
'This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.'
'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication presence of this alert means the RunningRAT implant is likely
'Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant re
'Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read. A threat actor who compromises a Service Principal may assign it an app role to allow it to acces
'Detects a privileged role being added to a Service Principal. Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly p
'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'
Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasiv
' This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external identities should b
' This query will detect logins from guest account which was recently deleted. For any successful logins from deleted identities should be investigated further if any existing user accounts have been
'This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties. Investigat
'This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous. This query uses Microsoft Sentinel's UEBA features to detect thes
'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud
'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from
'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data t
'This query identifies when a new trust monitor event is detected.'
'Anomaly Rules generate events in the Anomalies table. This scheduled rule tries to detect Anomalies that are not usual, they could be a type of Anomaly that has recently been activated, or an infrequ
' The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands Reference: https://www.m
'Detects a URL being added to an application where the domain is not one that is associated with the tenant. The query uses domains seen in sign in logs to determine if the domain is associated with
'This query looks for accounts being created where the name does not match a defined pattern. Attackers may attempt to add accounts as a means of establishing persistant access to an environment, lo
'This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant. Attackers may attempt to add accounts as a means of establishing persist
'Detects when a guest account in a tenant is converted to a member of the tenant. Monitoring guest accounts and the access they are provided is important to detect potential account abuse. Account
This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template. Use this detection to alert for users specif
'Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://documentation.wazuh.com/current/cloud-security/azure/in
'This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table. This technique was seen usee by POLONIUM in their Runn
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerad
'Identifies instances of a base64 encoded PE file header seen in the process command line parameter. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://ak
'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. Note that the query does no
YARA rule: DebuggerCheck__DrWatson
YARA rule: DebuggerCheck__GlobalFlags
YARA rule: DebuggerCheck__PEB
YARA rule: DebuggerCheck__QueryInfo
YARA rule: DebuggerCheck__RemoteAPI
YARA rule: DebuggerException__ConsoleCtrl
YARA rule: DebuggerException__SetConsoleCtrl
YARA rule: DebuggerException__UnhandledFilter
YARA rule: DebuggerHiding__Active
YARA rule: DebuggerHiding__Thread
YARA rule: DebuggerOutput__String
YARA rule: DebuggerPattern__RDTSC
YARA rule: DebuggerTiming__PerformanceCounter
YARA rule: DebuggerTiming__Ticks
'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. Th
'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your en
'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom s
'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports th
This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [c
'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in
'Identifies malware that has been hidden in the recycle bin. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-m
'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice
'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (b
'This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack To use t
'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C dri
'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery. To use this analytics rule, make sur
'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
YARA rule: SEH__v3
YARA rule: SEH__v4
YARA rule: SEH__vba
YARA rule: SEH__vectored
'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. To use this analytics rule, make sure you have deployed the [ASIM normalizat
Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEven
Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasiv
YARA rule: ThreadControl__Context
Hunt package for 108 IOCs associated with ClearFake
Hunt package for 2 IOCs associated with KongTuke
Hunt package for 31 IOCs associated with Unknown malware
Hunt package for 2 IOCs associated with AdaptixC2
Hunt package for 2 IOCs associated with AsyncRAT
Hunt package for 14 IOCs associated with Cobalt Strike
Hunt package for 3 IOCs associated with Havoc
Hunt package for 4 IOCs associated with Meterpreter
Hunt package for 2 IOCs associated with NetSupportManager RAT
Hunt package for 4 IOCs associated with Quasar RAT
Hunt package for 9 IOCs associated with Remcos
Hunt package for 4 IOCs associated with SocksProxyGo
Hunt package for 5 IOCs associated with XWorm
Hunt package for 46 malicious URLs tagged as 32-bit
Hunt package for 32 malicious URLs tagged as ACRStealer
Hunt package for 5 malicious URLs tagged as elf
Hunt package for 4 malicious URLs tagged as malware_download
Hunt package for 2 malicious URLs tagged as mirai
Hunt package for 9 malicious URLs tagged as Mozi
'This query searches for successful user logins from different countries within 3 hours. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAu
YARA rule: WindowsPE
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
Detects Obfuscated Powershell via Stdin in Scripts
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Detects the use of Python's base64 decoding functions in command line executions on Linux systems. Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is
Detects default file names outputted by the BloodHound collection tool SharpHound
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote mana
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Pr
Detects a potentially suspicious powershell script executions from temporary folder
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using
Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwar
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking invol
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs)
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the `*\shell\open\command` registry key can
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes o
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installatio
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to
Detects installation of suspicious packages using system installation utilities
Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can
Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can acc
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applica
Detects Commandlet names from well-known PowerShell exploitation frameworks
Detects the creation of known offensive powershell scripts used for exploitation
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
Detects the image load of VSS DLL by uncommon executables
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicio
A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition att
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. Cl
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets,
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets,
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromise
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable,
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This attack typically begins when users visit mal
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigg
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged t
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binar
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of e
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
Detects the creation of a new office macro files on the system via an application (browser, mail client). This can help identify potential malicious activity, such as the download of macro-enabled doc
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion technique
Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for exam
Detects the use of Tor or Tor-Browser to connect to onion routing networks
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Detects attempts to query system information directly from the Windows Registry.
Detects AdFind execution with common flags seen used during attacks
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacki
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat ac
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like M
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells o
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the co
Detects the use of various CLI utilities exfiltrating data via web requests
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM &
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator,
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could i
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable
Detects the creation of files with an executable or script extension by an Office application.
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. Adversaries may mask these targets to prevent a system from entering sleep or
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42
Detects a ping command that uses a hex encoded IP address
Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, includ
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a w
Detects the image load of VSS DLL by uncommon executables
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. These files (.ps1, .vbs, .js, .bat,
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often tim
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump cre
Detects creation of a new service (kernel driver) with the type "kernel"
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Detects potential DLL sideloading of "dbghelp.dll"
Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this cou
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Detects Windows executables that write files with suspicious extensions
Detects DLL sideloading of "dbgcore.dll"
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute comman
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intende
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intende
Detects the creation of a new service using the "sc.exe" utility.
Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attack
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote
Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, a
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with suc
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabil
Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspic
Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
Detects PowerShell download and execution cradles.
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been asso
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
Detects PowerShell creating a binary executable or a script file.
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION struct
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treat
Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentic
Detects processes that query known 3rd party registry keys that holds credentials via commandline
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potential
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract
Detects file creation events with filename patterns used by Impacket.
Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '-
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). This can give access to plaintext passwords used in PowerShell commands or used
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 c
Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
Detect suspicious parent processes of well-known Windows processes
Detects suspicious encoded character syntax often used for defense evasion
Detects potential DLL sideloading of "mscorsvc.dll".
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a l
Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for
Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies t
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious paylo
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execut
Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This beh
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
Detects files that have extensions commonly seen while SDelete is used to wipe files.
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers a
Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administ
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass e
Detects the use of CoercedPotato, a tool for privilege escalation
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Detects the execution GMER tool based on image and hash fields.
Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
Detects the use of NPS, a port forwarding and intranet penetration proxy server
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous at
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by l
Detects known hacktool execution based on image name.
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects the use of the "capsh" utility to invoke a shell.
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out fro
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate pri
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out fro
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequen
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed
Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One tr
Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" fun
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::m
Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
Detects potential DLL sideloading of "DbgModel.dll"
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually i
Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
Detects a potentially suspicious execution from an uncommon folder.
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execu
Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard
Detects potential DLL sideloading of "MpSvc.dll".
Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensit
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker t
Detects file creation events with filename patterns used by CrackMapExec.
Detects the presence and execution of Inveigh via dropped artefacts
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies o
Detects a dump file written by QuarksPwDump password dumper
Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
Detects default lsass dump filename generated by SafetyKatz.
Detects files written by the different tools that exploit HiveNightmare
Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same fo
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DI
Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any ar
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have
Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersk
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
Detects network connections from the Equation Editor process "eqnedt32.exe".
Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
Detects programs that connect to known malware callback ports based on threat intelligence reports.
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Win
Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
Detects "RegAsm.exe" initiating a network connection to public IP adresses
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.
Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker
Detects Obfuscated use of stdin to execute PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
Detects suspicious user agent strings used by malware in proxy logs
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or si
Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally speci
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
Detects the use of Replace.exe which can be used to replace file with another file
Detects programs that connect to uncommon destination ports
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
Detects a "winlogon.exe" process that initiate network communications with public IP addresses
Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incom
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incom
Detects use of chcp to look up the system locale value as part of host discovery
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Detects port forwarding activity via SSH.exe
Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial in
Detects potentially suspicious child processes launched via the ScreenConnect client service.
Detects ScreenConnect program starts that establish a remote access to a system.
Detects potential web shell execution from the ScreenConnect server process.
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
Detects suspicious user agent strings used in APT malware in proxy logs
Detects Baby Shark C2 Framework default communication patterns
Detect the update check performed by Advanced IP/Port Scanner utilities.
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling tha
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Fi
Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rul
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Att
Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communicatio
Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network co
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
Detects initiated network connections to crypto mining pools
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed techniq
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
Detects requests to disable Microsoft Defender features using PowerShell commands
Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of you
Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
Detects the execution of the "cloudflared" binary from a non standard location.
Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain o
Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
Detects the execution of a renamed "cloudflared" binary.
Detects commands that temporarily turn off Volume Snapshots
The hypothesis detects potential
Detects the creation of a file with an uncommon extension in an Office application startup folder
Detect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework
Detects suspicious parent process for cmd.exe
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them
Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox method
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to b
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data withi
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Norma
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Detects various execution patterns of the CrackMapExec pentesting framework
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<usern
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powers
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell
Adversaries may leverage suspicious child processes of eventvwr.exe to bypass UAC and execute privileged code, indicating potential elevation of privilege. SOC teams should proactively hunt for
Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
Detects a network connection initiated by "Regsvr32.exe"
Detects a remote DLL load event via "rundll32.exe".
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (host
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store pay
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
Detects execution of Chromium based browser in headless mode
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can someti
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files fro
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and Loc
Detects changes to the ESXi syslog configuration via "esxcli"
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
Detects potential SQL injection attempts via GET requests in access logs.
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
Detects user account creation on ESXi system via esxcli
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
Detects potentially suspicious child processes of "aspnet_compiler.exe".
Detects usage of Gpg4win to decrypt files
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
Detects usage of Gpg4win to encrypt files
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Detects default CSExec service filename which indicates CSExec service installation and execution
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Detects default RemCom service filename which indicates RemCom service installation and execution
Detects potential DLL sideloading of "AVKkid.dll"
Detects potential DLL sideloading of "EACore.dll"
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directo
Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
Detects potential DLL sideloading of "vivaldi_elf.dll"
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
Detects potential DLL sideloading of "CCleanerDU.dll"
Detects potential DLL sideloading of "CCleanerReactivator.dll"
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Detects programs on a Windows system that should not write executables to disk
Detects programs on a Windows system that should not write scripts to disk
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
Detects potential DLL sideloading of "appverifUI.dll"
Detects potential DLL sideloading of "ShellDispatch.dll"
Detects suspicious process command line that uses base64 encoded input for execution with a shell
Detects the creation of a new named pipe using the "mkfifo" utility
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
Detects potentially suspicious child processes of a ClickOnce deployment application
Detects potential DLL sideloading of "7za.dll"
Detects potential DLL sideloading of "edputil.dll"
Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
Detects execution of "reg.exe" to disable security services such as Windows Defender.
Detects usage of crontab to list the tasks of the user
Detects the use of wget to download content to a suspicious directory
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
Detects the use of grep to discover specific files created by the GobRAT malware
Detects the creation of shell scripts under the "profile.d" path.
Detects execution of shells from a parent process located in a temporary (/tmp) directory
Detects execution of binaries located in potentially suspicious locations via "nohup"
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
Detects PowerShell core DLL being loaded by an Office Product
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
Detects potentially suspicious child processes of "regsvr32.exe".
Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
Detects potentially suspicious child processes of "GoogleUpdate.exe"
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Detects potential DLL sideloading of "wwlib.dll"
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
Detects Bitsadmin connections to domains with uncommon TLDs
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
Detects the creation of the LiveKD driver, which is used for live kernel debugging
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
Detects potential DLL sideloading of "chrome_frame_helper.dll"
Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
Detects the creation of binaries in the WinSxS folder by non-system processes
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legiti
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
Detects Rclone config files being created
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-or
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homo
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homo
Detects potential DLL sideloading of "SolidPDFCreator.dll"
Detects creation of a file named "ntds.dit" (Active Directory Database)
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to
Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
Detects suspicious encoded User-Agent strings, as seen used by some malware.
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
Detects a suspicious curl process start the adds a file to a web request
Detects usage of "xterm" as a potential reverse shell tunnel
Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD accou
Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
Detects execution of the bash shell with the interactive flag "-i".
Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often lever
Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
Detects audio capture via PowerShell Cmdlet.
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
Detects CLR DLL being loaded by an Office Product
Detects any assembly DLL being loaded by an Office Product
Detects potential process patterns related to Cobalt Strike beacon activity
Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
Detects Windows shells and scripting applications that write files to suspicious folders
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
Detects potential DLL sideloading of rcdll.dll
Detects attempts of decoding encoded Gzip archives via PowerShell.
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
The rule detects the use of Wmiexec via PowerShell with specific command-line flags, a
Detects the creation of the default output filename used by the wmiexec tool
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Adversaries may use NtdllPipe techniques to exfiltrate or execute malicious code by leveraging ntdll.dll content, evading traditional AV/EDR detection mechanisms. SOC teams should pro
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky k
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Detects a code page switch in command line or batch scripts to a rare language
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer
Detects possible payload obfuscation via the commandline
Shadow Copies storage symbolic link creation using operating systems utilities
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
Detects process activity patterns as seen being used by Sliver C2 framework implants
Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
Detects active directory enumeration activity using known AdFind CLI flags
Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
Detects potential commandline obfuscation using known escape characters
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Detect execution of suspicious double extension files in ParentCommandLine
Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files i
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used
Detects the use of Jlaive to execute assemblies in a copied PowerShell
Detects the creation of a office macro file from a a suspicious process
Detects the creation of a new Outlook form which can contain malicious code
Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selec
Detects suspicious command lines used in Covenant luanchers
Detects suspicious powershell command line parameters used in Empire
Detects some Empire PowerShell UAC bypass methods
Detection well-known mimikatz command line arguments
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
Detects the use of 3proxy, a tiny free proxy server
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Activ
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for dow
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
Detects the creation of a new service using powershell.
Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
Detects cmstp loading "dll" or "ocx" files from suspicious locations
When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can
Detects SILENTTRINITY stager dll loading activity
Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrup
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
Detects different hacktools used for relay attacks on Windows for privilege escalation
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All
Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
Detects suspicious process patterns found in logs when CrackMapExec is used
Detects usage of the Sharp Chisel via the commandline arguments
Detects the use of SharpUp, a tool for local privilege escalation
Detects SILENTTRINITY stager use via PE metadata
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Detects command line parameters or strings often used by crypto miners
Detects usage of the Chisel tunneling tool via the commandline arguments
Detects the use of NirCmd tool for command execution as SYSTEM user
Detects dump of credentials in VeeamBackup dbo
Detects any GAC DLL being loaded by an Office Product
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
Detects suspicious use of XORDump process memory dumping utility
Detects the creation of a macro file for Outlook.
Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
Detects the creation of a macro file for Outlook.
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it porta
Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the
Detects usage of the Quarks PwDump tool via commandline arguments
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
Detects RDP session hijacking by using MSTSC shadowing
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
Detects command line parameters used by Bloodhound and Sharphound hack tools
Detects the use of the Dinject PowerShell cradle based on the specific flags
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
Detects command line parameters used by Hydra password guessing hack tool
Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and t
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
Detects a suspicious process spawning from an Outlook process.
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks.
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a s
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many thre
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and exe
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
Detects when the file "passwd" or "shadow" is copied from tmp path
Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
Detects base64 encoded .NET reflective loading of Assembly
Execution of plink to perform data exfiltration and tunneling
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Detects common command used to enable bpf kprobes tracing
Execution of ssh.exe to perform data exfiltration and tunneling through RDP
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Detects possible Java payloads in web access logs
Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
Detects attempts to force stop the ufw using ufw-init
Detects usage of system utilities to discover system network connections
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
Detects usage of the "touch" process in service file.
Detects powershell scripts that import modules from suspicious directories
Detects potential DLL injection and execution using "Tracker.exe"
Detects suspicious PowerShell scripts accessing SAM hives
Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP fil
Detects the creation of files that look like exports of the local SAM (Security Account Manager)
Detects files dropped by Winnti as described in RedMimicry Winnti playbook
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
Commandline to launch powershell with a base64 payload
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Detects suspicious powershell invocations from interpreters or unusual programs
Detects suspicious PowerShell invocation command parameters
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
Detects the creation of doas.conf file in linux host platform.
Detects creation of cron file or files in Cron directories which could indicates potential persistence.
Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
Extract data from cab file and hide it in an alternate data stream
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install
Detects suspicious sub processes of web server processes
Detects usage of "find" binary in a suspicious manner to perform discovery
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Ad
Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe
Detects exploitation attempt using the JNDI-Exploit-Kit
Detects command line parameters or strings often used by crypto miners
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
Detects usage of the 'Get-Clipboard' cmdlet via CLI
Detects inline execution of PowerShell code from a file
Detects suspicious Splwow64.exe process without any command line parameters
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execut
Attempts to load dismcore.dll after dropping it
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
Detect use of X509Enrollment
Detects usage of the "usermod" binary to add users add users to the root or suoders groups
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd
Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
Detects usage of the "type" command to download/upload data from WebDAV server
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
This rule detects the execution of Run Once task as configured in the registry
Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Err
Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can d
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Detects suspicious ways to run Invoke-Execution using IEX alias
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) o
Detects the pattern of a UAC bypass using Windows Event Viewer
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it'
Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
Detects service path modification via the "sc" binary to a suspicious command or path
Detects common commands used in Windows webshells
Detects Obfuscated use of Clip.exe to execute PowerShell
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Detects suspicious process patterns used in NTDS.DIT exfiltration
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Po
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
Detects creation of a scheduled task with a GUID like name
Detects suspicious malformed user agent strings in proxy logs
Detects default PsExec service filename which indicates PsExec service installation and execution
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious mo
Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be a
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the s
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health servi
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerabl
Detects disabling security tools
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by m
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed v
Detects the Installation of a Exchange Transport Agent
Detects NetNTLM downgrade attack
Detects processes loading modules related to PCRE.NET package
Detects processes creating temp files related to PCRE.NET package
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
Detects a suspicious program execution in Outlook temp folder
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
Detects suspicious Plink tunnel port forwarding to a local port
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Detects a service binary running in a suspicious directory
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Detects setting proxy configuration
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* pre
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Ag
Detects suspicious change of file privileges with chown and chmod commands
Detects a possible remote connections to Silenttrinity c2
Detects source code enumeration that use GET requests by keyword searches in URL strings
Detects suspicious file type dropped by an Exchange component in IIS
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
Detects the rare use of the command line tool shutdown to logoff a user
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended des
Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network locat
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard ut
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
Detects usage of the 'chattr' utility to remove immutable file attribute.
Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack th
Detects a suspicious curl process start on linux with set useragent options
Detects enumeration of local network configuration
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Detects email exfiltration via powershell cmdlets
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
Detects suspicious parent processes that should not have any children or should only have a single possible child program
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
Detects Bitsadmin connections to IP addresses instead of FQDN names
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
Detects programs on a Windows system that should not write an archive to disk
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Detects the execution of DeviceCredentialDeployment to hide a process from view.
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
Download and compress a remote file and store it in a cab file on local machine.
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is
Detects a flashplayer update from an unofficial location
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Sea
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
Detects a Windows command line executable started from MMC
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
Detects PowerShell script execution from Alternate Data Stream (ADS)
Detects a suspicious child process of Script Event Consumer (scrcons.exe).
Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
Detects suspicious PowerShell invocation with a parameter substring
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Detects encoded base64 MZ header in the commandline
Detects execution of powershell scripts via Runscripthelper.exe
Attackers can use print.exe for remote file copy
Detects potential overwriting and deletion of a file using DD.
Detects suspicious user agent strings user by hack tools in proxy logs
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execu
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
Detects events with patterns found in commands used for reconnaissance on linux systems
Detects the use of the filename DumpStack.log to evade Microsoft Defender
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Detects XSS attempts injected via GET requests in access logs
Detects SSTI attempts sent via GET requests in access logs
Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Detects chmod targeting files in abnormal directory paths.
Detects python spawning a pretty tty
Detects java process spawning suspicious children
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Po
Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Detects an executable that isn't dropbox but communicates with the Dropbox API
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windo
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
Detects suspicious interactive bash as a parent to rather uncommon child processes
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Detects Obfuscated Powershell via use MSHTA in Scripts
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
Detects the usage of the unsafe bpftrace option
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users
Detects a set of suspicious network related commands often used in recon stages
Detects events that appear when a user click on a link file with a powershell command in it
Uses the .NET InstallUtil.exe application in order to execute image without log
Detects the creation of log files during a TeamViewer remote session
TeamViewer_Desktop.exe is create during install
Detects the creation of a new office macro files on the systems
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 3
Detects the creation of tasks from processes executed from suspicious locations
Detects suspicious msiexec process starts with web addresses as parameter
Detects suspicious process run from unusual locations
Detects Access to Domain Group Policies stored in SYSVOL
Use of hostname to get information
Use of the commandline to shutdown or reboot windows
Use of reg to get MachineGuid information
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
Ransomware create txt file in the user Desktop
Detect attacker collecting audio via SoundRecorder application.
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Detects suspicious user agent strings used by crypto miners in proxy logs
Detects usage of base64 utility to decode arbitrary base64-encoded text
The Devtoolslauncher.exe executes other binary
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Detects using register-cimprovider.exe to execute arbitrary dll file.
Well-known DNS Exfiltration tools execution
Detects process dump via legitimate sqldumper.exe binary
Detects file execution using the msdeploy.exe lolbin
Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
Detects an interactive AT job, which may be used as a form of privilege escalation.
Detects the enumeration of other remote systems.
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
Detects Octopus Scanner Malware.
The OpenWith.exe executes other binary
Potential adversaries accessing the microphone and webcam in an endpoint.
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Detects PowerShell script execution via input stream redirect
Detects handles requested to SAM registry hive
A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
Detects suspicious process related to rasdial.exe
setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This t
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Detects using SettingSyncHost.exe to run hijacked binary
Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
Detects Windows PowerShell Web Access
Detects WebDav DownloadCradle
Detects WMI command line event consumers
Detects file writes of WMI script event consumer
Detects process connections to a Monero crypto mining pool
Detects system information discovery commands
Detects actions that clear the local ShimCache and remove forensic evidence
Detects various indicators of Microsoft Connection Manager Profile Installer execution
YARA rule: Email_Generic_PHP_Mailer_Script
Generic rule for hostile ACE archive using CVE-2018-20250
Detects APT10 MenuPass Phishing
Detects maldoc With Tartgeting Suspicuios OLE
Detect Word 2007 XML Document in the Flat OPC format w/ embedded Microsoft Office 2007+ document
Generic detection for MiraiX version 7
Detects maldoc With exploit for CVE_2017_11882
The 'Contains_DDE_Protocol' rule detects the use of the
Detects malicious files related to CVE-2017-8759
Detects malicious RTF file related CVE-2017-8759
Detects malicious files related to CVE-2017-8759 - file Doc1.doc
Detects malicious files related to CVE-2017-8759 - file cmd.hta
Detects malicious file in releation with CVE-2017-8759 - file exploit.txt
Detects SOAP WDSL Download via JavaScript
This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4.
The FE_LEGALSTRIKE_MACRO rule detects macros using a specific encoding pattern associated with the sample 30f149479c02b74
Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom
Auto-generated rule - file HRDG022184_certclint.dll
Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0
HackingTeam Android implant, known to detect version v4 - v7
Detects Linux Dirty Cow Exploit - CVE-2012-0056 and CVE-2016-5195
EQGRP Toolset Firewall - file BUSURPER-2211-724.exe
EQGRP Toolset Firewall - file create_dns_injection.py
EQGRP Toolset Firewall - file eligiblecandidate.py
EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py
EQGRP Toolset Firewall - file MixText.py
EQGRP Toolset Firewall - file networkProfiler_orderScans.sh
EQGRP Toolset Firewall - file payload.py
EQGRP Toolset Firewall - file screamingplow.sh
EQGRP Toolset Firewall - file tunnel_state_reader
The YARA rule 'install_get_persistent_filenames
Detects tool from EQGRP toolset - file 1212.pl
Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl
Detects tool from EQGRP toolset - file bc-genpkt
Detects tool from EQGRP toolset - file bc-parser
Detects tool from EQGRP toolset - file dn.1.0.2.1.linux
Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1
The YARA rule 'EQGRP_false' detects
Detects tool from EQGRP toolset - file installdate.pl
Detects tool from EQGRP toolset - file morel.exe
Detects tool from EQGRP toolset - file noclient-3.0.5.3
Detects tool from EQGRP toolset - file teflondoor.exe
Detects tool from EQGRP toolset - file teflonhandle.exe
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
The YARA rule 'blackhole2_htm6' detects files associated with the BlackHole2 Exploit Kit, which is used to deliver malware via exploit vectors like malicious HTML or JavaScript.
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
ZeroAccess Exploit Kit Detection
ZeroAccess Exploit Kit Detection
ZeroAccess Exploit Kit Detection
The
ZeroAccess Exploit Kit Detection
ZeroAccess Exploit Kit Detection
ZeroAccess Exploit Kit Detection
Angler Exploit Kit Detection
Angler Exploit Kit Detection
Angler Exploit Kit Detection
Angler Exploit Kit Detection
Angler Exploit Kit Detection
Angler Exploit Kit Detection
Angler Exploit Kit Detection
Angler Exploit Kit Detection
Angler Exploit Kit Detection
BlackHole1 Exploit Kit Detection
BleedingLife2 Exploit Kit Detection
BleedingLife2 Exploit Kit Detection
BleedingLife2 Exploit Kit Detection
BleedingLife2 Exploit Kit Detection
CrimePack Exploit Kit Detection
CrimePack Exploit Kit Detection
Eleonore Exploit Kit Detection
This YARA rule detects malicious
Eleonore Exploit Kit Detection
Eleonore Exploit Kit Detection
The 'eleonore_js2' YARA rule detects malicious
Eleonore Exploit Kit Detection
Fragus Exploit Kit Detection
The
Fragus Exploit Kit Detection
Fragus Exploit Kit Detection
Fragus Exploit Kit Detection
Fragus Exploit Kit Detection
The 'fragus_js2'
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
This Y
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
Sakura Exploit Kit Detection
Sakura Exploit Kit Detection
0x88 Exploit Kit Detection
0x88 Exploit Kit Detection
Zeus Exploit Kit Detection
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects a dropper from a CAB file mentioned in the article
Detects trojan from APT report named http.exe
Detects a malicious PotPlayer.dll
The "Contains_UserForm_Object" YARA
Detect MIME MSO Base64 encoded ActiveMime file
Detects Codoso APT CustomTCP Malware
Codoso CustomTCP Malware
Detects Codoso APT CustomTCP Malware
Detects Codoso APT CustomTCP Malware
Detects Codoso APT Gh0st Malware
Detects Codoso APT Gh0st Malware
Detects Codoso APT Gh0st Malware
Detects Codoso APT PGV PVID Malware
Detects Codoso APT PGV PVID Malware
Detects Codoso APT PGV PVID Malware
Detects Codoso APT PlugX Malware
Detects Codoso APT PGV PVID Malware
Detects Codoso APT PGV_PVID Malware
The YARA
Detects Codoso APT PlugX Malware
The YARA rule 'Codoso_Plug
Detect a hidden PE file inside a sequence of numbers (comma separated)
The 'Contains_VBA_macro_code' rule detects MS Office documents containing embedded VBA macro code, commonly
Auto-generated rule - from files 32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614, 3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2, 90ba78b6710462c2d97815e8745679942b3
Auto-generated rule - from files 7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094, b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a, edb16d3ccd50fc8f0f77d0875bf50a629fa
Detects the password of the backdoored DropBear SSH Server - BlackEnergy
Detects KillDisk malware associated with the BlackEnergy campaign, targeting critical infrastructure systems. Deploy this rule in endpoint EDR scanning, email gateway, and file share monitoring to identify and block malicious file execution and
Detects KillDisk malware from BlackEnergy
Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs
Detects DropBear SSH Server (not a threat but used to maintain access)
Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious
Detects Derusbi Kernel Driver
Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)
Derusbi Driver version
Derusbi Server Linux version
Phishing Wave - file P-ORD-C-10156-124658.xls
Phishing Wave - file p0o6543f.exe
Detection of Virtual Appliances through the use of WMI for use of evasion.
Carbanak Malware
Carbanak Malware
Carbanak Malware
The Y
Detects Emdivi Malware
Detects Emdivi Malware
Detects Emdivi Malware
The Emdivi_SFX
Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300
Auto-generated rule - from files 32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a, 63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb
Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8
Exploit Sample CVE-2015-5119
YARA rule: cve_2013_0074
Detects CloudDuke Malware
Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe
MS15-078 / MS15-077 exploit - generic signature
MS15-078 / MS15-077 exploit - Hacking Team code
Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3
Kaspersky APT Report - Duqu2 Sample - Malicious MSI
Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69
Kaspersky APT Report - Duqu2 Sample - Generic Rule
Detects an Microsoft Office file that contains the AutoOpen Macro function
Rule to detect DarkEYEv3 encrypted executables (often malware)
Detects APT backspace
Detects Samples related to APT17 activity - file FXSST.DLL
CVE-2015-1701 compiled exploit code
The YARA rule '
Match first two bytes, files and string present in iBanking
The 'office_document_vba' rule detects Office documents containing embedded VBA macros,