EXPLORE DETECTIONS
MS Exchange Zero Day (Sept 2022)
MS Exchange Zero Day (Sept 2022)
MSHTA Executions
This query lists all mshta executions, or if mshta is used legitimately can be used to filter on suspicious mshta child processes.
Multiple Accounts Locked
Detect when multiple accounts are locked in your Azure tenant in a short timeframe, this can indicate brute force or password spray attacks. This detection is based on error code 50053 wich results from two different reasons:
Multiple Sensitive Group Additions From Commandline
This query detects when multiple sentitive group additions have been initiated from the commandline within a certain timeframe. This timeframe can be configured using the *BinTimeFrame* variable. The *AlertThreshold* can be used to tweak the detection to met a certain threshold that you want to aim for, if set to one every commandline addition will be alerted.
Net(1).exe Query Statistics
This query can be used to list the statistics of the entities that have been queried in the last x days. The x is determined by the *StartTime* parameter. Only the (local)group and user query types are included in this query. This query can be used to list the user/groups that are often queried or to list rare discovery activities.
Netskope Malicious CloudWorker Detection
This query checks DeviceNetworkEvents against known malicious Cloudflare workers from Netskope
New access credential added to application or service principal
This query will find when a new credential is added to an application or service principal.
New Active CISA Know Exploited Vulnerability Detected
CISA provides a comprehensive list of known exploited vulnerabilities with CVE numbers, vendor names, product names, vulnerability names, dates, short descriptions, action due dates, and notes. This dynamic list is ingested into a KQL query to detect newly added known exploited vulnerabilities that are active in your environment.
New Authentication App Detected
Detect a new app that is used to send authentication request to your tenant. The authentication requests do not have to be successful. The app can eighter be an internal app, then the AppID is filled, if that is not the case then it is an external app. A false positive is a new app that is used within your organization.
New LOLBIN with external connection
This query searches for new lolbins that have executed external connections. This is done by first listing all lolbins that are known to execute external connections, for example msedge.exe will (of course) trigger external connections. With this query you can list rare lolbins which are uncommon to trigger external connections. The list of LOLBINS is based on the lolbas project.
New TABL Entry using OfficeActivity
let SI = union SigninLogs, AADNonInteractiveUserSignInLogs
New TenantAllowBlockList (TABL) entry
| project-reorder Notes, Url, Expiration
New UserAgent used
This query can be used to detect new UserAgents that have been used to perform sign in activities (succesful or failed). If you company only uses windows devices it will be interesting to investigate the other UserAgents that have been used.
Nltest Discovery Activities
The windows utility Nltest is known to be used by adversaries to enumerate domain trusts. This detection is based on the *DeviceProcessEvents* table and triggers if more than 3 nltest queries are executed by a user on the same computer within 30 minutes. You can alter the variables yourself to tailor it to your environment.
Nltest Discovery Activities
The windows utility Nltest is known to be used by adversaries to enumerate domain trusts. This detection is based on Windows Security Event 4688 and triggers if more than 3 nltest queries are executed by a user on the same computer within 30 minutes. You can alter the variables yourself to tailor it to your environment.
Nobelium campaign DNS pattern
This query looks for the DGA pattern of the domain associated with the Nobelium campaign, in order to find other domains with the same activity pattern.
Nobelium encoded domain in URL
Looks for a logon domain in the Azure AD logs, encoded with the same DGA encoding used in the Nobelium campaign.
Notepad++ - Chrysalis Backdoor File Hash IOCs
Reference: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Notepad++ - Chrysalis Backdoor gup.exe detection
Reference: https://medium.com/capturedsignal/notepad-security-incident-threat-hunting-using-kql-and-defender-for-endpoint-logs-dd83b984fcc6
Notepad++ - Chrysalis Backdoor gup.exe spawned binaries excluding known-good Notepad++ hashes
Credit: https://medium.com/capturedsignal/notepad-security-incident-threat-hunting-using-kql-and-defender-for-endpoint-logs-dd83b984fcc6
Notepad++ - Chrysalis Backdoor Network IOCs
Reference: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Notepad++ - Chrysalis Backdoor Spawned binaries + network connections correlation
Credit: https://medium.com/capturedsignal/notepad-security-incident-threat-hunting-using-kql-and-defender-for-endpoint-logs-dd83b984fcc6
OAuth apps accessing user mail via GraphAPI [Nobelium]
This query helps you review all OAuth applications accessing user mail via Graph. It could return a significant number of results depending on how many applications are deployed in the environment.
OAuth apps reading mail via GraphAPI and directly [Nobelium]
As described in [previous guidance](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/), Nobelium may re-purpose legitimate existing OAuth Applications in the environment to their own ends. However, malicious activity patterns may be discernable from legitimate ones.