EXPLORE

EXPLORE DETECTIONS

🔍
9,403 detections found

.Class Extension URI Ending Request

Detects requests to URI ending with the ".class" extension in proxy logs. This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.

Sigmamedium

.RDP File Created By Uncommon Application

Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.

Sigmahigh

'File From Host Collected via Portal or Live Response

This query lists all the file downloads from an onboarded EDR device. The query lists the two file collection methods:

T1005
KQL

(Mass) Cloud Resource Deletion

This query can be used to detect (mass) resource deletion in your cloud environment. The query uses the *Threshold* and *BinSize* variables to trigger. The default is set to the deletion of 20 cloud resources in a timespan of 1 day, you can modify this to your needs.

T1485
KQL

*Detection Title*

Description of the detection rule.

T1134.002T1134
KQL

*Known RAT/RMM process patterns*

Hypothesis: Attackers will eventually leverage legitimate desktop support and remote access tools (RATs) to establish an interactive command and control channel to target systems within networks. The patterns were based on this excelent resource and might need an update upon usage given that more patterns should have been added: https://github.com/0x706972686f/RMM-Catalogue

T1219
KQL

*NTDS.DIT File Modifications*

NTDS.DIT stands for New Technology Directory Services Directory Information Tree. It serves as the primary database file within Microsoft’s Active Directory Domain Services (AD DS). Adversaries may attempt to access or modify the Active Directory domain database in order to steal credential information or perform other types of attack. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.

T1003T1003.003
KQL

*Rare or low-prevalent outgoing, successful IPv4 connections from non-browser processes*

Hypothesis: Attackers will eventually communicate to the external networks (Internet) where their infrastructure is located. What if that originates from a low prevalence process communicating over TCP via an uncommon port?

KQL

3CX Supply Chain Attack Network Indicators

The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.

Splunk

7-ZIP used by attackers to prepare data for exfiltration

This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".

KQL

7zip CommandLine To SMB Share Path

The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks.

Splunk

7Zip Compressing Dump Files

Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

T1560.001
Sigmamedium

A Member Was Added to a Security-Enabled Global Group

Detects activity when a member is added to a security-enabled global group

T1098
Sigmalow

A Member Was Removed From a Security-Enabled Global Group

Detects activity when a member is removed from a security-enabled global group

T1098
Sigmalow

A New Trust Was Created To A Domain

Addition of domains is seldom and should be verified for legitimacy.

T1098
Sigmamedium

A Rule Has Been Deleted From The Windows Firewall Exception List

Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

T1686.003
Sigmamedium

A scheduled task was created

Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.

T1053T1053.005
Elasticlow

A Security-Enabled Global Group Was Deleted

Detects activity when a security-enabled global group is deleted

T1098
Sigmalow

AADInternals PowerShell Cmdlets Execution - ProccessCreation

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Sigmahigh

AADInternals PowerShell Cmdlets Execution - PsScript

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Sigmahigh

AADSignInEventsBeta - Hunting Potential Seamless SSO Usage

Legacy query, please use https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Hunting%20Potential%20Seamless%20SSO%20Usage.kql instead

KQL

AADSignInEventsBeta - Suspicious User agent

Legacy Query, please use: https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Suspicious%20User%20agent.kql

KQL

Abnormal Process ID or Lock File Created

Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.

T1106T1036T1036.005
Elasticmedium

Abnormally Large DNS Response

Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.

T1210T1499T1499.004
Elasticmedium
Page 1 of 392Next