EXPLORE

EXPLORE DETECTIONS

🔍
588 detections found

Potential Beaconing Activity

This query detects potential Command & Control (C2) beaconing activity by identifying remote IPs that receive a high average number of connections from a small number of devices. Beaconing is a hallmark of C2 communication where malware regularly checks in with its controller at consistent intervals. The query combines aggregated connection reports with enrichment via `FileProfile` to surface processes with low global prevalence making these repeated outbound connections, reducing false positives from known-good software.

T1071.001T1071
KQL

Potential Credential Dumping

Check for wdigest registry key being set to store passwords in plain text

KQL

Potential Entra Admin Synced back On-premise

Advanced Hunting table but can be ingested in sentinel

KQL

Potential Kerberos Encryption Downgrade

Adversaries can use older kerberos encryption algorithms which are vulnerable to brute force attacks to crack passwords. This query can be used to detect changes in the support of kerberos encryption standards on domain joined devices. This query will list all changes that are performed after a device has joined the domain. If the results contain older encryption versions it could be an adversary trying to enable older ciphers to perform kerberoasting on a later stage.

T1558.003T1562.010T1558T1562
KQL

Potential Phishing Campaign

The *EmailClusterId* which can be assigned to a mail is the identifier for the group of similar emails clustered based on heuristic analysis of their contents. Therefore this identifier can be leveraged to find related mails. This can for example be from a different sender or the content of the mail has changed from Hello Bob to Hello Alice but the rest of the contents has stayed the same. This query searches for mails that have the same *EmailClusterId* but have different senders. Furthermore only emails that contain a URL are selected by joining the EmailUrlInfo table.

T1566.002T1566
KQL

Potential User Signed into Edge Browser From Unmanaged or Unregistered Device

Successes only

KQL

Potentially Ungoverned AI Domains such as chatgpt

This Query looks for usage of ungoverned AI Usage by using DeviceNetworkEvents

KQL

Potentially Unsanctioned Application Usage

This query looks for application names that may be unwanted using Process Name in DeviceProcessEvents. Searching by name is limited but can be fast for a quick check

KQL

Powercat exploitation tool downloaded

This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".

KQL

PowerShell Defensive Evasion Detection

This query detects PowerShell commands using hidden windows or silent continue

KQL

PowerShell Invoke-Webrequest

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. The function Invoke-Webrequest can be abused to remotely download script to the local file system for execution. This query can be used to list the commandline downloads. Since this request can be expected for certain workloads in your environment a additional filter is added, to only alert on servers if this executed.

T1059.001T1059
KQL

PowerShell No Profile (APT 28)

This query can be used to detect behaviour that APT28 uses in their attacks. The Ukrainian CERT has shared the following commands executed by APT28 which could be detected by this KQL query.

KQL

Prioritize Secure Configuration

This query helps you prioritize configuration changes that affect your devices based on the Microsoft Defender TVM modules.

KQL

Procdump dumping LSASS credentials

This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".

KQL

Process injection by Qakbot malware

This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*

KQL

Process Primary Token Elevated to SeDebugPrivilege

This query detects when a process's primary token is modified to include `SeDebugPrivilege` (privilege bit 20). `SeDebugPrivilege` grants a process the ability to open and manipulate any other process on the system, regardless of its security descriptor. This privilege is routinely abused by attackers for credential dumping (e.g., accessing LSASS), process injection, and lateral movement. The query uses a bitmask comparison to identify exactly when this privilege is added to a token and enriches the result with file prevalence data to reduce false positives.

T1134
KQL

Python usage associated with ransomware on macOS

This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.

KQL

Python-based attacks on macOS

This query was originally published in the threat analytics report, *Python abuse on macOS*

KQL

Query Execution Statistics

List the query execution statistics for your Log Analytics Workspace, this returns the *UnqiueQueryCount* and the *TotalQueriesExecuted* for each Azure Active Directory User.

KQL

Query the installed extensions with the most required permissions

----

KQL

Ransom note 'say' alert associated with ransomware on macOS

This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.

KQL

Ransomware Behaviour Kill SQL Processes

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. In this specific case this Threat Hunting query can be used to detect the behaviour that LockBit uses, which is killing SQL related processes via the commandline before deploying ransomware.

T1489
KQL

RansomwareToolMatrix Defender Lookup

WORK IN PROGRESS

KQL

Rare .lnk File Created on Desktop

This query detects rare `.lnk` (shortcut) files created on the desktop of a device. Attackers often place malicious shortcut files on the desktop to trick users into executing malware, or to establish persistence. The query uses the `FileProfile` function to filter out commonly seen files and only surfaces shortcuts with a low global prevalence, making it suitable for hunting uncommon or suspicious shortcut drops.

T1027.012T1027
KQL
PreviousPage 19 of 25Next