EXPLORE DETECTIONS
'File From Host Collected via Portal or Live Response
This query lists all the file downloads from an onboarded EDR device. The query lists the two file collection methods:
(Mass) Cloud Resource Deletion
This query can be used to detect (mass) resource deletion in your cloud environment. The query uses the *Threshold* and *BinSize* variables to trigger. The default is set to the deletion of 20 cloud resources in a timespan of 1 day, you can modify this to your needs.
*Detection Title*
Description of the detection rule.
*Known RAT/RMM process patterns*
Hypothesis: Attackers will eventually leverage legitimate desktop support and remote access tools (RATs) to establish an interactive command and control channel to target systems within networks. The patterns were based on this excelent resource and might need an update upon usage given that more patterns should have been added: https://github.com/0x706972686f/RMM-Catalogue
*NTDS.DIT File Modifications*
NTDS.DIT stands for New Technology Directory Services Directory Information Tree. It serves as the primary database file within Microsoft’s Active Directory Domain Services (AD DS). Adversaries may attempt to access or modify the Active Directory domain database in order to steal credential information or perform other types of attack. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.
*Rare or low-prevalent outgoing, successful IPv4 connections from non-browser processes*
Hypothesis: Attackers will eventually communicate to the external networks (Internet) where their infrastructure is located. What if that originates from a low prevalence process communicating over TCP via an uncommon port?
7-ZIP used by attackers to prepare data for exfiltration
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
AADSignInEventsBeta - Hunting Potential Seamless SSO Usage
Legacy query, please use https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Hunting%20Potential%20Seamless%20SSO%20Usage.kql instead
AADSignInEventsBeta - Suspicious User agent
Legacy Query, please use: https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Suspicious%20User%20agent.kql
Access Review On Role Assignable Group AutoDeleted
This happens when a role such as identity Governance Admin Tries to do an access review on a role assignable group.
Active Directory Domain Services Elevation of Privilege Vulnerability, CVE-2021-42278
The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity
Add custom security attribute definition in an attribute set
Custom Atribute Diagnostic log must be enabled. this can only be done by the Attribute Log Administrator Role (global admin is NOT able to perform this)
Add uncommon credential type to application [Nobelium]
The query looks for users or service principals that attached an uncommon credential type to application.
Adult Content MDE DeviceNetworkEvents
Use Web Content Filtering in MDE to block Adult Content https://learn.microsoft.com/en-us/defender-endpoint/web-content-filtering?WT.mc_id=MVP_473477
Advanced Feature Disabled
Defender For Endpoint Advanced Features are very powerful, some examples are:
Alert Efficiency
The rule below can be used to calculate the efficiency of custom detection rules in your environment. The line ```| where AlertName startswith "[DxBP]"``` should be replaced with the prefix of your custom detection rules or should be removed completely to include build in rules as well.
All BlackCat/ALPHV Ransomware IOCs with one KQL query
Actor: BlackCat/ALPHV
AMSI Script Detection
The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads.
Analytics Rules Efficiency
This query is aimed to improve the false positive ratio you have in Sentinel. The query list all analytics rules that have triggered the most in the selected TimeRange. These analytics rules can either be enabled ones from a template, or custom created detections. For each analytics rule the following stats are collected:
Anomalous Amount of LDAP traffic
Adversaries can use LDAP to collect environment information. The query below can be used to detect anomalous amounts of LDAP queries from a originating device. This is done by baselining the normal amount of LDAP queries a device performs each hour. This query gives you input on which devices might need to be investigated.
Anomalous amount of SMB sessions created (BloodHound)
This detection rule is aimed to detect a host that performs SMB Discovery by alerting if a device creates more then 50 unique SMB sessions within 15 minutes. That is one of the characteristics of bloodhound. The SMB sessions can be used to identify remote systems.
Anomalous Group Policy Discovery
Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group policies may contain valueble information for an attacker. This query detects when an device performs an group policy Discovery that has not been performed from that device in the last 30 days.
Anomalous use of MailItemAccess by GraphAPI [Nobelium]
This query looks for anomalies in mail item access events made by Graph API. It uses standard deviation to determine if the number of events is anomalous. The query returns all clientIDs where the amount of mail sent per day was larger than value given by the formula, `average + STDThreshold(2.5)*(standard deviation)`.
Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]
This query looks for users accessing multiple other users' mailboxes, or accessing multiple folders in another user's mailbox.