EXPLORE DETECTIONS
OAuth apps reading mail via GraphAPI anomaly [Nobelium]
Use this query to review OAuth applications whose behaviour has changed as compared to a prior baseline period. The following query returns OAuth Applications accessing user mail via Graph that did not do so in the preceding week.
office Add-in Installs
This Query looks for office Add-in Installs
Office applications launching wscript.exe to run JScript
This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*.
Onboarded Machines by Resource Group
This query lists the amount of onboarded Azure Arc Machines for each resourceGroup.
OneDrive Sync From Rare IP
This query combines the CloudAppEvents table and the SignInLogs from Entra ID to hunt for OneDrive Sync activities from a rare IP address. The variables should be set based on your needs.
OnionMail EmailAddresses
raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/OnionMail.txt'] with (format=csv, ignoreFirstRecord=False);
Operation download all users in Azure Active directory performed
Detect when a user account downloads all Azure Active Directory users. This can be used to dump all Azure AD users. Both admin and non-admin users can download user lists.
Oracle WebLogic process wlsvcX64.exe exploitation and execution of PowerShell script to download payloads
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Outbound MSHTA Connection
Detects outbound network connections initiated by `mshta.exe`. `mshta.exe` is a legitimate Windows binary, but it is frequently abused by adversaries to execute malicious script content from local or remote HTA resources.
Outlook email access by campaigns using Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Parsed User Agent
| where TimeGenerated > ago(30d)
Password change after succesful brute force
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. This query combines the brute force indicators with a followed password change after the adversary has gained access to an account.
Paste and Anonymous File Transfer Sites - DeviceNetworkEvents
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/FileTransfer%20PasteLike%20Sites.csv"] with (format="csv", ignoreFirstRecord=True);
Personal Messaging Domains - DeviceNetworkEvents
This Query looks for the usage of chat websites. Once you have hunted considering downloading the list from https://github.com/jkerai1/SoftwareCertificates/blob/main/Bulk-IOC-CSVs/ChatSites.csv and uploading to Indicators in MDE
PieChart - Exposure Level Onboarded Devices
This query visualizes the onboarded devices and their exposure level in a PieChart. The higher the exposure level of a device, the more likely it is to be exploited.
PIM Security Alerts
Detects Microsoft Entra Privileged Identity Management (PIM) security alerts and assigns severity based on the official Microsoft documentation.
Piracy Domains - DeviceNetworkEvents
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Piracy.csv"] with (format="csv", ignoreFirstRecord=True);
Possible webshell on the endpoint
Attackers install web shells on servers by taking advantage of security gaps, typically vulnerabilities in web applications, in internet-facing servers. These attackers scan the internet, often using public scanning interfaces like shodan.io, to locate servers to target. They may use previously fixed vulnerabilities that unfortunately remain unpatched in many servers, but they are also known to quickly take advantage of newly disclosed vulnerabilities.
Post Dilivery Events
This query visualizes the post dilivery events from exchange to view the status of your environment.
Potential Adversary in the middle Phishing
List potential adversary in the middle phishing attempts that have been identified by the **OfficeHome** application in combination with an empty deviceid. The OfficeHome application is known to be the default of some AiTM phishing kits. An empty deviceid is the result of an device that is not onboarded/known to your organization. If only onboarded devices should sign in to your orgs cloud apps, an empty id should raise alarms, since it is an unknown device. If the resultype 0 is included in the results a successful sign-in is performed.
Potential Beaconing Activity
This query detects potential Command & Control (C2) beaconing activity by identifying remote IPs that receive a high average number of connections from a small number of devices. Beaconing is a hallmark of C2 communication where malware regularly checks in with its controller at consistent intervals. The query combines aggregated connection reports with enrichment via `FileProfile` to surface processes with low global prevalence making these repeated outbound connections, reducing false positives from known-good software.
Potential Credential Dumping
Check for wdigest registry key being set to store passwords in plain text
Potential Kerberos Encryption Downgrade
Adversaries can use older kerberos encryption algorithms which are vulnerable to brute force attacks to crack passwords. This query can be used to detect changes in the support of kerberos encryption standards on domain joined devices. This query will list all changes that are performed after a device has joined the domain. If the results contain older encryption versions it could be an adversary trying to enable older ciphers to perform kerberoasting on a later stage.
Potential Phishing Campaign
The *EmailClusterId* which can be assigned to a mail is the identifier for the group of similar emails clustered based on heuristic analysis of their contents. Therefore this identifier can be leveraged to find related mails. This can for example be from a different sender or the content of the mail has changed from Hello Bob to Hello Alice but the rest of the contents has stayed the same. This query searches for mails that have the same *EmailClusterId* but have different senders. Furthermore only emails that contain a URL are selected by joining the EmailUrlInfo table.