EXPLORE DETECTIONS

Packages in Container Images - Match Lookup File

Parses packages from ImageVulnerabilityEvents and cross-references it with a lookup file to identify matching entries. A lookup file with a list of packages needs to be uploaded first. Example: |PackageName|Version| |---|---| |Package|1.0.0|

Packages in Container Images - Match Lookup File

Parses packages from ImageVulnerabilityEvents and cross-references it with a lookup file to identify matching entries. A lookup file with a list of packages needs to be uploaded first. Example: |PackageName|Version| |---|---| |Package|1.0.0|

Packages in Container Images - Match Parameter

Searches packages using the provided parameter and returns the corresponding image repository.

Packages in Container Images - Match Parameter

Searches packages using the provided parameter and returns the corresponding image repository.

Password Spray Many Users from Same IP Microsoft Defender for Identity

Detects multiple authentication failures across several user accounts originating from a single IP address, as identified by Microsoft Defender for Identity. This pattern is indicative of a password spraying attack where an attacker attempts common passwords against multiple users to gain unauthorized access. Detects multiple authentication failures across several user accounts originating from a single IP address, as identified by Microsoft Defender for Identity. This pattern is indicative of a password spraying attack where an attacker attempts common passwords against multiple users to gain unauthorized access.

Phishing - List of links opened from Outlook

Phishing - List of links opened from Outlook

Possible DC Replication (DCSync)

Detects suspicious attempts to replicate Active Directory data from a Domain Controller using the DCSync technique based on the Defender for identity module. This behavior may indicate an attacker attempting to extract sensitive credentials (such as password hashes) by mimicking domain replication requests

Potential Lateral Movement through RDP

Detects when a user account initiates Remote Desktop Protocol (RDP) sessions across multiple systems within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate potential lateral movement by an attacker or unauthorized use of administrative access This query detects potential lateral movement activity by analyzing Kerberos/NTLM remote desktop logon events from Microsoft Defender for Identity. It groups authentication events by username and flags users who logged into more than one unique device within a 60-minute window.

Powershell Command Length Anomaly Detection

This query establishes a 7-day baseline of average PowerShell command lengths for each host. It then compares this baseline to the average command length of the last 24 hours. The query identifies hosts with a significant percentage increase in command length, which can be an indicator for obfuscation, fileless execution, or other malicious activities associated with "Living off the Land" techniques. ## Why Powershell is a Target for Attackers Powershell is an integral part of modern Windows systems and offers powerful automation capabilities through its .NET integration. These features also make it attractive to attackers: - **Pre-installed:** Available on every Windows system (no additional code needed). - **Powerful Access:** Direct access to Windows APIs and network resources. - **In-Memory Execution:** Capable of running code directly from memory (fileless execution). - **Often Under-Monitored:** Frequently lacks sufficient monitoring or restrictions. Attackers use **"Living off the Land"** tactics to leverage PowerShell for stealthy attacks without deploying additional tools. ## Why Command Length Deviations Indicate Threats Attackers often employ methods that result in unusually long command lines. Monitoring deviations from normal command length is a valuable approach for detecting suspicious activity. Unusually long commands can indicate: * **Obfuscation:** * **Encoding:** Using Base64 (`-EncodedCommand`), hexadecimal, or ASCII to hide commands. * **Escape Characters:** Using backticks (`) to impair readability. * **Embedding Payloads:** Inserting entire scripts or binary payloads directly into the command line. * **Fileless Execution & LotL:** Complex one-liners are used to download and execute payloads from remote sources, leading to longer commands. * **Offensive Frameworks:** Tools like Empire, PowerSploit, or Cobalt Strike often generate long, obfuscated commands for their payloads. Unusually long commands are a strong indicator because they directly correlate with common attacker techniques for evasion and execution (e.g., [T1027.010 Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/010/)). Legitimate administrative tasks rarely require the extreme lengths produced by these methods. | Technique | Impact on Length | Description | | :--- | :--- | :--- | | Base64 (`-EncodedCommand`)| Significant Increase | Hides script content; very common for payload delivery. | | String Concatenation | Moderate/Variable Increase | Used to break up keywords and evade simple string matching. | | Remote Download Cradles | Variable (Often Long) | Commands like `IEX (New-Object Net.WebClient).DownloadString(...)` can be long. | | Embedded Scripts/Payloads | Significant Increase | Entire scripts or binaries are passed in the command line, nearing max length. | ## The Power of Baselining: Establishing "Normal" This query is based on the core idea of baselining "normal" activity for PowerShell command lengths and then identifying significant deviations from that norm. ### Creating the Baseline The query analyzes historical PowerShell executions over a defined period (7 days) to calculate statistical measures (the average) for command lengths. This establishes the expected range. By comparing the last day's average length against this historical baseline, the query can flag anomalous increases. A **7-day baseline** is chosen to: - Capture weekly operational cycles (e.g., weekend maintenance scripts). - Balance stability and adaptability, smoothing out daily fluctuations while remaining responsive to real changes.

Powershell Command Length Anomaly Detection

This query establishes a 7-day baseline of average PowerShell command lengths for each host. It then compares this baseline to the average command length of the last 24 hours. The query identifies hosts with a significant percentage increase in command length, which can be an indicator for obfuscation, fileless execution, or other malicious activities associated with "Living off the Land" techniques. ## Why Powershell is a Target for Attackers Powershell is an integral part of modern Windows systems and offers powerful automation capabilities through its .NET integration. These features also make it attractive to attackers: - **Pre-installed:** Available on every Windows system (no additional code needed). - **Powerful Access:** Direct access to Windows APIs and network resources. - **In-Memory Execution:** Capable of running code directly from memory (fileless execution). - **Often Under-Monitored:** Frequently lacks sufficient monitoring or restrictions. Attackers use **"Living off the Land"** tactics to leverage PowerShell for stealthy attacks without deploying additional tools. ## Why Command Length Deviations Indicate Threats Attackers often employ methods that result in unusually long command lines. Monitoring deviations from normal command length is a valuable approach for detecting suspicious activity. Unusually long commands can indicate: * **Obfuscation:** * **Encoding:** Using Base64 (`-EncodedCommand`), hexadecimal, or ASCII to hide commands. * **Escape Characters:** Using backticks (`) to impair readability. * **Embedding Payloads:** Inserting entire scripts or binary payloads directly into the command line. * **Fileless Execution & LotL:** Complex one-liners are used to download and execute payloads from remote sources, leading to longer commands. * **Offensive Frameworks:** Tools like Empire, PowerSploit, or Cobalt Strike often generate long, obfuscated commands for their payloads. Unusually long commands are a strong indicator because they directly correlate with common attacker techniques for evasion and execution (e.g., [T1027.010 Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/010/)). Legitimate administrative tasks rarely require the extreme lengths produced by these methods. | Technique | Impact on Length | Description | | :--- | :--- | :--- | | Base64 (`-EncodedCommand`)| Significant Increase | Hides script content; very common for payload delivery. | | String Concatenation | Moderate/Variable Increase | Used to break up keywords and evade simple string matching. | | Remote Download Cradles | Variable (Often Long) | Commands like `IEX (New-Object Net.WebClient).DownloadString(...)` can be long. | | Embedded Scripts/Payloads | Significant Increase | Entire scripts or binaries are passed in the command line, nearing max length. | ## The Power of Baselining: Establishing "Normal" This query is based on the core idea of baselining "normal" activity for PowerShell command lengths and then identifying significant deviations from that norm. ### Creating the Baseline The query analyzes historical PowerShell executions over a defined period (7 days) to calculate statistical measures (the average) for command lengths. This establishes the expected range. By comparing the last day's average length against this historical baseline, the query can flag anomalous increases. A **7-day baseline** is chosen to: - Capture weekly operational cycles (e.g., weekend maintenance scripts). - Balance stability and adaptability, smoothing out daily fluctuations while remaining responsive to real changes.

Powershell Downloads

This query detects powershell downloads using `Start-BitsTransfer`, `Invoke-WebRequest`, or `System.Net.WebClient`.

Powershell Downloads

This query detects powershell downloads using `Start-BitsTransfer`, `Invoke-WebRequest`, or `System.Net.WebClient`.

Rare Remote Ports in Network Connections

The query analyzes IPv4 network connection events, counts occurrences per remote port, calculates their percentage of total connections, and lists only ports representing less than 10% of the traffic. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Bottom%2010%25%20of%20NetworkConnct%20Port%20Values.md)

Rare Remote Ports in Network Connections

The query analyzes IPv4 network connection events, counts occurrences per remote port, calculates their percentage of total connections, and lists only ports representing less than 10% of the traffic. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Bottom%2010%25%20of%20NetworkConnct%20Port%20Values.md)

Rare windows shell parent process

This hunting query is designed to detect rare shell parent processes. This hunting query is designed to detect rare shell parent processes: 1. **Filter for Windows Events**: `#event_simpleName=ProcessRollup2``event_platform=Win` 2. **Classify Processes**: `(case { in(field=FileName, values=["powershell.exe", "cmd.exe", "pwsh.exe"]) | IsChild := "1";)` - If the FileName matches a shell (powershell.exe, cmd.exe, pwsh.exe), the process is marked as a child process - Otherwise, it is marked as not a child process 3. **Assign Process Information**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - For child processes (`IsChild = "1"`), the `ProcId` is set to the `ParentProcessId` - For non-child processes (`IsChild = "0"`), the `ProcId` is set to the `TargetProcessId` 4. **Group by Computer and Process**: - The query groups events by `ComputerName` and `ProcId` to analyze process relationships. - Calculation of the distinct count of `ParentProcessId` as `EventCount`

Rare windows shell parent process

This hunting query is designed to detect rare shell parent processes. This hunting query is designed to detect rare shell parent processes: 1. **Filter for Windows Events**: `#event_simpleName=ProcessRollup2``event_platform=Win` 2. **Classify Processes**: `(case { in(field=FileName, values=["powershell.exe", "cmd.exe", "pwsh.exe"]) | IsChild := "1";)` - If the FileName matches a shell (powershell.exe, cmd.exe, pwsh.exe), the process is marked as a child process - Otherwise, it is marked as not a child process 3. **Assign Process Information**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - For child processes (`IsChild = "1"`), the `ProcId` is set to the `ParentProcessId` - For non-child processes (`IsChild = "0"`), the `ProcId` is set to the `TargetProcessId` 4. **Group by Computer and Process**: - The query groups events by `ComputerName` and `ProcId` to analyze process relationships. - Calculation of the distinct count of `ParentProcessId` as `EventCount`

Recent RTR Sessions

List of the recent Real Time Response sessions that were started.

Recent RTR Sessions

List of the recent Real Time Response sessions that were started.

Remediation - Host Contained

This query lists all isolated devices and identifies who initiated the isolation.

Remediation - Host Contained

This query lists all isolated devices and identifies who initiated the isolation.

Remote Interactive Logons (RDP)

Identifies remote interactive logons on a specific endpoint. The query filters UserIdentity events for LogonType=10, which typically indicates Remote Desktop or similar remote access sessions. Results are scoped by the provided aid and display up to 1,000 events, including timestamp, username, user principal, and the logon server. Useful for detecting and reviewing remote access activity during investigations or routine monitoring. **Use Cases** - Review RDP usage on a host - Investigate potential unauthorized remote access - Support incident response and access audits LogonType=10 corresponds to remote interactive logons. The aid parameter must be set to the target endpoint.

Remote Interactive Logons (RDP)

Identifies remote interactive logons on a specific endpoint. The query filters UserIdentity events for LogonType=10, which typically indicates Remote Desktop or similar remote access sessions. Results are scoped by the provided aid and display up to 1,000 events, including timestamp, username, user principal, and the logon server. Useful for detecting and reviewing remote access activity during investigations or routine monitoring. **Use Cases** - Review RDP usage on a host - Investigate potential unauthorized remote access - Support incident response and access audits LogonType=10 corresponds to remote interactive logons. The aid parameter must be set to the target endpoint.

Remote Port Forwarding via Plink - Unauthorized RDP Tunneling Detection

Detects the use of Plink (PuTTY Link) to establish remote port forwarding tunnels, specifically targeting traffic redirected to port 3389 (RDP). This technique is frequently used by threat actors for lateral movement or to bypass firewall restrictions by tunneling RDP over SSH. Attackers use `plink.exe` the command-line SSH client from PuTTY to create encrypted SSH tunnels that forward RDP traffic (port 3389) through firewall boundaries. This allows an attacker with an existing foothold to RDP into internal systems even when direct RDP is blocked. ## Forwarding Flags * **-R (Remote Forward):** Attacker binds a port on their server and pulls traffic back to an internal RDP target. * **-L (Local Forward):** Victim machine forwards a local port outbound to an RDP target via the SSH server. ## Why It's Dangerous Because the tunnel rides over SSH (typically port 22 or 443), it blends with legitimate encrypted traffic and often bypasses firewall and DLP controls. The resulting RDP session appears to originate from inside the network. ## Testing the Detection You can safely validate this detection on an enrolled endpoint without establishing an actual tunnel. The connection will fail immediately, but the EDR will still capture the `ProcessRollup2` event. ### 1. Download and Execute (PowerShell) ```powershell Invoke-WebRequest -Uri "[https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe](https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe)" -OutFile "$env:TEMP\plink.exe" # Test -R (remote forward) & "$env:TEMP\plink.exe" -R 4444:localhost:3389 user@192.168.1.1 # Test -L (local forward) & "$env:TEMP\plink.exe" -L 4444:localhost:3389 user@192.168.1.1