EXPLORE DETECTIONS
7-ZIP used by attackers to prepare data for exfiltration
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Active Directory Domain Services Elevation of Privilege Vulnerability, CVE-2021-42278
The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity
Add uncommon credential type to application [Nobelium]
The query looks for users or service principals that attached an uncommon credential type to application.
Anomalous use of MailItemAccess by GraphAPI [Nobelium]
This query looks for anomalies in mail item access events made by Graph API. It uses standard deviation to determine if the number of events is anomalous. The query returns all clientIDs where the amount of mail sent per day was larger than value given by the formula, `average + STDThreshold(2.5)*(standard deviation)`.
Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]
This query looks for users accessing multiple other users' mailboxes, or accessing multiple folders in another user's mailbox.
AppArmor service stopped
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Backdoor associated with privilege escalation vulnerability, CVE-2019-0808
This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*
Base64-encoded Nishang commands for loading reverse shell
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
BazaCall dropping payload via certutil.exe
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader.
BazaCall Excel file download domain pattern
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader.
Browser cookie theft by campaigns using Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Command and control associated with privilege escalation vulnerability, CVE-2019-0808
This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*
Compromised certificate [Nobelium]
Search for the files that are using a compromised certificate associated with the Nobelium campaign.
Confluence and WebLogic servers targeted by campaign
This query was originally published in the threat analytics report, *Confluence and WebLogic abuse*.
Credential harvesting through WDigest cache
This query was originally published in the threat analytics report, *WDigest credential harvesting*.
Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]
Credentials were added to an application by UserA, after the application was granted admin consent rights by UserB
Cypherpunk remote execution through PSEXESVC
This query was originally published in the threat analytics report, *Cypherpunk ransomware leaves wake of tampered AVs*.
Cypherpunk remote execution through PSEXESVC
This query was originally published in the threat analytics report, *Cypherpunk ransomware leaves wake of tampered AVs*.
Detect .ace files associated with WinRAR absolute path transversal exploit, CVE-2018-20250
This query was originally published in the threat analytics report, *WinRAR CVE-2018-20250 exploit*
Detect .jse file creation events
This query was originally published in the threat analytics report, *Emulation-evading JavaScripts*.
Detect activity associated with malicious DLL, cyzfc.dat
These queries was originally published in the threat analytics report, *Attacks on gov't, think tanks, NGOs*.
Detect activity by the penetration tool, MailSniper
This query was originally published in the threat analytics report, *MailSniper Exchange attack tool*.
Detect anomalous process trees
This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level.
Detect attempts to turn off System Restore
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).