EXPLORE DETECTIONS
.Class Extension URI Ending Request
Detects requests to URI ending with the ".class" extension in proxy logs. This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
.RDP File Created By Uncommon Application
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
'File From Host Collected via Portal or Live Response
This query lists all the file downloads from an onboarded EDR device. The query lists the two file collection methods:
(Mass) Cloud Resource Deletion
This query can be used to detect (mass) resource deletion in your cloud environment. The query uses the *Threshold* and *BinSize* variables to trigger. The default is set to the deletion of 20 cloud resources in a timespan of 1 day, you can modify this to your needs.
*Detection Title*
Description of the detection rule.
*Known RAT/RMM process patterns*
Hypothesis: Attackers will eventually leverage legitimate desktop support and remote access tools (RATs) to establish an interactive command and control channel to target systems within networks. The patterns were based on this excelent resource and might need an update upon usage given that more patterns should have been added: https://github.com/0x706972686f/RMM-Catalogue
*NTDS.DIT File Modifications*
NTDS.DIT stands for New Technology Directory Services Directory Information Tree. It serves as the primary database file within Microsoft’s Active Directory Domain Services (AD DS). Adversaries may attempt to access or modify the Active Directory domain database in order to steal credential information or perform other types of attack. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.
*Rare or low-prevalent outgoing, successful IPv4 connections from non-browser processes*
Hypothesis: Attackers will eventually communicate to the external networks (Internet) where their infrastructure is located. What if that originates from a low prevalence process communicating over TCP via an uncommon port?
3CX Supply Chain Attack Network Indicators
The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.
7-ZIP used by attackers to prepare data for exfiltration
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
7zip CommandLine To SMB Share Path
The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks.
7Zip Compressing Dump Files
Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
A Member Was Added to a Security-Enabled Global Group
Detects activity when a member is added to a security-enabled global group
A Member Was Removed From a Security-Enabled Global Group
Detects activity when a member is removed from a security-enabled global group
A New Trust Was Created To A Domain
Addition of domains is seldom and should be verified for legitimacy.
A Rule Has Been Deleted From The Windows Firewall Exception List
Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
A scheduled task was created
Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
A Security-Enabled Global Group Was Deleted
Detects activity when a security-enabled global group is deleted
AADInternals PowerShell Cmdlets Execution - ProccessCreation
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
AADInternals PowerShell Cmdlets Execution - PsScript
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
AADSignInEventsBeta - Hunting Potential Seamless SSO Usage
Legacy query, please use https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Hunting%20Potential%20Seamless%20SSO%20Usage.kql instead
AADSignInEventsBeta - Suspicious User agent
Legacy Query, please use: https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Suspicious%20User%20agent.kql
Abnormal Process ID or Lock File Created
Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.
Abnormally Large DNS Response
Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.