EXPLORE

EXPLORE DETECTIONS

🔍
588 detections found

Notepad++ - Chrysalis Backdoor Spawned binaries + network connections correlation

Credit: https://medium.com/capturedsignal/notepad-security-incident-threat-hunting-using-kql-and-defender-for-endpoint-logs-dd83b984fcc6

KQL

OAuth apps accessing user mail via GraphAPI [Nobelium]

This query helps you review all OAuth applications accessing user mail via Graph. It could return a significant number of results depending on how many applications are deployed in the environment.

KQL

OAuth apps reading mail via GraphAPI and directly [Nobelium]

As described in [previous guidance](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/), Nobelium may re-purpose legitimate existing OAuth Applications in the environment to their own ends. However, malicious activity patterns may be discernable from legitimate ones.

KQL

OAuth apps reading mail via GraphAPI anomaly [Nobelium]

Use this query to review OAuth applications whose behaviour has changed as compared to a prior baseline period. The following query returns OAuth Applications accessing user mail via Graph that did not do so in the preceding week.

KQL

office Add-in Installs

This Query looks for office Add-in Installs

KQL

Office applications launching wscript.exe to run JScript

This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*.

KQL

Onboarded Machines by Resource Group

This query lists the amount of onboarded Azure Arc Machines for each resourceGroup.

KQL

OneDrive Sync From Rare IP

This query combines the CloudAppEvents table and the SignInLogs from Entra ID to hunt for OneDrive Sync activities from a rare IP address. The variables should be set based on your needs.

T1530
KQL

OnionMail EmailAddresses

raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/OnionMail.txt'] with (format=csv, ignoreFirstRecord=False);

KQL

Operation download all users in Azure Active directory performed

Detect when a user account downloads all Azure Active Directory users. This can be used to dump all Azure AD users. Both admin and non-admin users can download user lists.

T1087.004T1069.003T1087T1069
KQL

Oracle WebLogic process wlsvcX64.exe exploitation and execution of PowerShell script to download payloads

This query was originally published in the threat analytics report, *Sysrv botnet evolution*.

KQL

Outbound MSHTA Connection

Detects outbound network connections initiated by `mshta.exe`. `mshta.exe` is a legitimate Windows binary, but it is frequently abused by adversaries to execute malicious script content from local or remote HTA resources.

T1218.005T1218
KQL

Outlook email access by campaigns using Qakbot malware

This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*

KQL

Parsed User Agent

| where TimeGenerated > ago(30d)

KQL

Password change after succesful brute force

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. This query combines the brute force indicators with a followed password change after the adversary has gained access to an account.

T1098T1110
KQL

Paste and Anonymous File Transfer Sites - DeviceNetworkEvents

raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/FileTransfer%20PasteLike%20Sites.csv"] with (format="csv", ignoreFirstRecord=True);

KQL

Personal Messaging Domains - DeviceNetworkEvents

This Query looks for the usage of chat websites. Once you have hunted considering downloading the list from https://github.com/jkerai1/SoftwareCertificates/blob/main/Bulk-IOC-CSVs/ChatSites.csv and uploading to Indicators in MDE

KQL

PieChart - Exposure Level Onboarded Devices

This query visualizes the onboarded devices and their exposure level in a PieChart. The higher the exposure level of a device, the more likely it is to be exploited.

KQL

PIM Security Alerts

Detects Microsoft Entra Privileged Identity Management (PIM) security alerts and assigns severity based on the official Microsoft documentation.

KQL

Piracy Domains - DeviceNetworkEvents

raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Piracy.csv"] with (format="csv", ignoreFirstRecord=True);

KQL

Possible webshell on the endpoint

Attackers install web shells on servers by taking advantage of security gaps, typically vulnerabilities in web applications, in internet-facing servers. These attackers scan the internet, often using public scanning interfaces like shodan.io, to locate servers to target. They may use previously fixed vulnerabilities that unfortunately remain unpatched in many servers, but they are also known to quickly take advantage of newly disclosed vulnerabilities.

T1505.003T1505
KQL

Post Dilivery Events

This query visualizes the post dilivery events from exchange to view the status of your environment.

KQL

Potential Adversary in the middle Phishing

List potential adversary in the middle phishing attempts that have been identified by the **OfficeHome** application in combination with an empty deviceid. The OfficeHome application is known to be the default of some AiTM phishing kits. An empty deviceid is the result of an device that is not onboarded/known to your organization. If only onboarded devices should sign in to your orgs cloud apps, an empty id should raise alarms, since it is an unknown device. If the resultype 0 is included in the results a successful sign-in is performed.

T1557
KQL

Potential Azure VM Admin Password reset using VMAccess extension

JsonVMAccessExtension.exe refers to the VMAccess Extension that can reset the Built-in administrator account/add new accounts. This applies to any Azure VM/AVD

KQL
PreviousPage 18 of 25Next