EXPLORE
Sign In

EXPLORE DETECTIONS

🔍
All SourcesSigmaSplunk ESCUElasticKQLSublimeCrowdStrike
581 detections found

Exchange vulnerability launching subprocesses through UMWorkerProcess

This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".

KQL

Executable File Extentions downloaded via HTTP GET

List Executable File Extentions downloaded via HTTP GET

KQL

Executables in AppData Local Roaming

Remains a common TTP despite other user writtable and executable paths in windows

KQL

Exploit Guard Network Protection Triggered

Microsoft offers network protection for devices, this can be done based on custom indicators that have been uploaded to the portal or based on a websites reputation. Depening on the reputation of a website a alert may be generated. The most common Response Categories are: CustomPolicy, CustomBlockList, CasbPolicy (Defender For Cloud Apps), Malicious and Phishing. The query contains a filter to exclude all custom indicators from the query results, which may overwhelm the results.

KQL

Exploitable_CVE_AllDevices

KQL

FIDO AAGUID Passkey Explorer

This query looks up AAGUIDs with their device manufacturer using Passkey Explorer

KQL

File creation with WinRAR absolute path transversal exploit, CVE-2018-20250

This query was originally published in the threat analytics report, *WinRAR CVE-2018-20250 exploit*

KQL

File that contains malware detected by Defender For Cloud Apps

This query lists the *FileMalwareDetected* based on the uploaded content to your cloud applications (such as OneDrive, SharePoint). This activity does not always raise an alert.

T1204.002T1204
KQL

Files Loaded by Suspicious Executable

This query is designed to list the files that have been loaded by a suspicious executable. Often malware loads dlls to properly function, these dlls can be identified by giving the SHA1 hash of the malicious executable as *InputSHA1*.

KQL

Files Loaded by Suspicious Executable

This query is designed to list the files that have been loaded by a suspicious executable. Often malware loads dlls to properly function, these dlls can be identified by giving the SHA1 hash of the malicious executable as *InputSHA1*.

KQL

Find all the processes a file has created and the associated FileNames, FileLocations and SHA1 hashes that the file has had.

----

KQL

Find all the processes a file has created and the associated FileNames, FileLocations and SHA1 hashes that the file has had.

----

KQL

Find data destruction related to Wadhrama ransomware

This query was originally published in the threat analytics report, *RDP ransomware persists as Wadhrama*.

KQL

Find RDP persistance attempts related to Wadhrama ransomware

This query was originally published in the threat analytics report, *RDP ransomware persists as Wadhrama*.

KQL

Find user accounts potentially affected by Cobalt Strike

This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).

KQL

Find vulnerable Dell driver, dbutil_2_3.sys

This query was originally published in the threat analytics report, *Multiple EOP flaws in Dell driver (CVE-2021-21551)*.

KQL

FireEye Red Team tool CVEs [Nobelium]

Search for the CVEs that should be prioritized and resolved to reduce the success of the FireEye Red Team tools compromised by the Nobelium activity group.

KQL

FireEye Red Team tool HASHs [Nobelium]

This query searches for the HASHs of the FireEye Red Team tools compromised by the Nobelium activity group.

KQL

FOCI Client ID Detection

This query checks sign-in logs for Family of Client IDs (FOCI) applications

KQL

Follina Detection

Follina Detection

KQL

Forensics on Registry Run keys in Windows.

Registry Run keys can be used to establish persistence on a device.

KQL

Function: AnonymizedMicrosoftGraphActivityLogs()

This function removes the Azure Ids from the MicrosoftGraphActivityLogs and replaces them with an Id of your liking. This allows you to easily share your screen without showing the particular groups/users that are being queries with the GraphApi.

KQL

Function: AVScanResults()

The KQL function *AVScanResults()* collects this information, the function uses two input variables *DeviceIdInput* and *AvScanType*. *DeviceIdInput* is the DeviceId from the device you want to list results, the *AvScanType* can be either Quick, Full or Custom.

KQL

Gaming Domains - DeviceNetworkEvents

raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Gaming.csv"] with (format="csv", ignoreFirstRecord=True);

KQL
PreviousPage 10 of 25Next