EXPLORE DETECTIONS
Notepad++ - Chrysalis Backdoor Spawned binaries + network connections correlation
Credit: https://medium.com/capturedsignal/notepad-security-incident-threat-hunting-using-kql-and-defender-for-endpoint-logs-dd83b984fcc6
OAuth apps accessing user mail via GraphAPI [Nobelium]
This query helps you review all OAuth applications accessing user mail via Graph. It could return a significant number of results depending on how many applications are deployed in the environment.
OAuth apps reading mail via GraphAPI and directly [Nobelium]
As described in [previous guidance](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/), Nobelium may re-purpose legitimate existing OAuth Applications in the environment to their own ends. However, malicious activity patterns may be discernable from legitimate ones.
OAuth apps reading mail via GraphAPI anomaly [Nobelium]
Use this query to review OAuth applications whose behaviour has changed as compared to a prior baseline period. The following query returns OAuth Applications accessing user mail via Graph that did not do so in the preceding week.
office Add-in Installs
This Query looks for office Add-in Installs
Office applications launching wscript.exe to run JScript
This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*.
Onboarded Machines by Resource Group
This query lists the amount of onboarded Azure Arc Machines for each resourceGroup.
OneDrive Sync From Rare IP
This query combines the CloudAppEvents table and the SignInLogs from Entra ID to hunt for OneDrive Sync activities from a rare IP address. The variables should be set based on your needs.
OnionMail EmailAddresses
raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/OnionMail.txt'] with (format=csv, ignoreFirstRecord=False);
Operation download all users in Azure Active directory performed
Detect when a user account downloads all Azure Active Directory users. This can be used to dump all Azure AD users. Both admin and non-admin users can download user lists.
Oracle WebLogic process wlsvcX64.exe exploitation and execution of PowerShell script to download payloads
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Outbound MSHTA Connection
Detects outbound network connections initiated by `mshta.exe`. `mshta.exe` is a legitimate Windows binary, but it is frequently abused by adversaries to execute malicious script content from local or remote HTA resources.
Outlook email access by campaigns using Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Parsed User Agent
| where TimeGenerated > ago(30d)
Password change after succesful brute force
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. This query combines the brute force indicators with a followed password change after the adversary has gained access to an account.
Paste and Anonymous File Transfer Sites - DeviceNetworkEvents
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/FileTransfer%20PasteLike%20Sites.csv"] with (format="csv", ignoreFirstRecord=True);
Personal Messaging Domains - DeviceNetworkEvents
This Query looks for the usage of chat websites. Once you have hunted considering downloading the list from https://github.com/jkerai1/SoftwareCertificates/blob/main/Bulk-IOC-CSVs/ChatSites.csv and uploading to Indicators in MDE
PieChart - Exposure Level Onboarded Devices
This query visualizes the onboarded devices and their exposure level in a PieChart. The higher the exposure level of a device, the more likely it is to be exploited.
PIM Security Alerts
Detects Microsoft Entra Privileged Identity Management (PIM) security alerts and assigns severity based on the official Microsoft documentation.
Piracy Domains - DeviceNetworkEvents
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Piracy.csv"] with (format="csv", ignoreFirstRecord=True);
Possible webshell on the endpoint
Attackers install web shells on servers by taking advantage of security gaps, typically vulnerabilities in web applications, in internet-facing servers. These attackers scan the internet, often using public scanning interfaces like shodan.io, to locate servers to target. They may use previously fixed vulnerabilities that unfortunately remain unpatched in many servers, but they are also known to quickly take advantage of newly disclosed vulnerabilities.
Post Dilivery Events
This query visualizes the post dilivery events from exchange to view the status of your environment.
Potential Adversary in the middle Phishing
List potential adversary in the middle phishing attempts that have been identified by the **OfficeHome** application in combination with an empty deviceid. The OfficeHome application is known to be the default of some AiTM phishing kits. An empty deviceid is the result of an device that is not onboarded/known to your organization. If only onboarded devices should sign in to your orgs cloud apps, an empty id should raise alarms, since it is an unknown device. If the resultype 0 is included in the results a successful sign-in is performed.
Potential Azure VM Admin Password reset using VMAccess extension
JsonVMAccessExtension.exe refers to the VMAccess Extension that can reset the Built-in administrator account/add new accounts. This applies to any Azure VM/AVD