EXPLORE DETECTIONS
List the top 100 accounts that have performed the most impersonated actions
This query lists the top 100 accounts that have performed the most imporsonated actions. The definiation for this field is: *Indicates whether the activity was performed by one user for another (impersonated) user*.
Live Response File Collection
This query lists all the Getfile activities that have been executed. This includes listing the SHA256 hash of the collected file (when available).
Living Off The Tunnels IOCS
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Living%20Off%20The%20Tunnels%20%20IOCs.csv"] with (format="csv", ignoreFirstRecord=True);
Living Off Trusted Sites
The Living Off Trusted Sites protject is included in the queries below. The project is about: *Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. The list of websites below allow attackers to use their domain or subdomain.* The query below can be used to hunt for websites which are rare in your organization or are executed by rare *InitiatingFiles*. This query can be used to list all found LOTS domains and how often they are executed, this can serve as input for further investigation or as start for you threat hunting case.
Local Administrator Additions
Adversaries may create a local accounts to maintain access to victim systems. This query lists all the locad admins that have been added in the seletect timeframe per device.
Local Group Created
This query lists all the local groups that have been created, this is done by listing all SecurityGroupCreated events and filtering all group creations on Domain Controllers. The GroupDomainName can be used to identify on which device the group has been created.
Local Group Discovery
Adversaries often execute the *net localgroup "adminstrator"* command to get information about the local admins on a device, but there might also be other groups that could be intersting. This query can be used as custom detection rule to detect local group discovery events using net.exe or net1.exe. There is a whitelist for departments that are expected to perform this action, but if HR or Sales executes these commands you probably want to know.
Locate Nobelium implant receiving DNS response
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Locate Nobelium implant receiving DNS response
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Locate Nobelium-related malicious DLLs created in the system or locally
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Locate Nobelium-related malicious DLLs loaded in memory
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Locate Shlayer payload decryption activity
This query was originally published in the threat analytics report, *OSX/Shlayer sustains adware push*.
Locate Shlayer payload decryption activity
This query was originally published in the threat analytics report, *OSX/Shlayer sustains adware push*.
Locate SolarWinds processes launching command prompt with the echo command
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Locate SolarWinds processes launching suspicious PowerShell commands
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Log Analytic Workspace Deletions
Deletion of a workspace could lead to a loss of logging - though the queryable workspace may be deleted meaning you'll have no way to run this query
LOL Driver Usage
This query uses different tables to list all actions related to LOL drivers. It combines DeviceFileEvents, DeviceProcessEvents and DeviceImageLoadEvents to list the results. The lol drivers project is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats. Those drivers should preferable be removed from your environment.
Lookup vulnerability information based on a CveID
----
Machine Onboarded Azure Arc
Lists the onboarded machines to Azure Arc. The HostName is the hostname that is used within Azure and Defender For Endpoint, this may differ from the actual hostname of the local system.
Mail.Read or Mail.ReadWrite permissions added to OAuth application
This query will find applications that have been granted Mail.Read or Mail.ReadWrite permissions in which the corresponding user recently consented to. It can help identify applications that have been abused to gain access to user email.
MailItemsAccessed by Compromised account
This query lists the *MailItemsAccessed* actions performed by a suspicious/compromised account.
MailItemsAccessed throttling [Nobelium]
The MailItemsAccessed action is part of the new Advanced Audit functionality of Microsoft 365 Defender. It's part of Exchange mailbox auditing and is enabled by default for users that have an Office 365 or Microsoft 365 E5 license, or for organizations with a Microsoft 365 E5 Compliance add-on subscription.
Malicious Browser Extension Downloads using DeviceFileEvents
Credit https://github.com/toborrm9/malicious_extension_sentry
Malicious email delivered in Microsoft 365
This query lists all the emails that have been classified as malicious based on Threat Intelligence on the mailbox.