EXPLORE DETECTIONS
Potential Beaconing Activity
This query detects potential Command & Control (C2) beaconing activity by identifying remote IPs that receive a high average number of connections from a small number of devices. Beaconing is a hallmark of C2 communication where malware regularly checks in with its controller at consistent intervals. The query combines aggregated connection reports with enrichment via `FileProfile` to surface processes with low global prevalence making these repeated outbound connections, reducing false positives from known-good software.
Potential Credential Dumping
Check for wdigest registry key being set to store passwords in plain text
Potential Entra Admin Synced back On-premise
Advanced Hunting table but can be ingested in sentinel
Potential Kerberos Encryption Downgrade
Adversaries can use older kerberos encryption algorithms which are vulnerable to brute force attacks to crack passwords. This query can be used to detect changes in the support of kerberos encryption standards on domain joined devices. This query will list all changes that are performed after a device has joined the domain. If the results contain older encryption versions it could be an adversary trying to enable older ciphers to perform kerberoasting on a later stage.
Potential Phishing Campaign
The *EmailClusterId* which can be assigned to a mail is the identifier for the group of similar emails clustered based on heuristic analysis of their contents. Therefore this identifier can be leveraged to find related mails. This can for example be from a different sender or the content of the mail has changed from Hello Bob to Hello Alice but the rest of the contents has stayed the same. This query searches for mails that have the same *EmailClusterId* but have different senders. Furthermore only emails that contain a URL are selected by joining the EmailUrlInfo table.
Potential User Signed into Edge Browser From Unmanaged or Unregistered Device
Successes only
Potentially Ungoverned AI Domains such as chatgpt
This Query looks for usage of ungoverned AI Usage by using DeviceNetworkEvents
Potentially Unsanctioned Application Usage
This query looks for application names that may be unwanted using Process Name in DeviceProcessEvents. Searching by name is limited but can be fast for a quick check
Powercat exploitation tool downloaded
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
PowerShell Defensive Evasion Detection
This query detects PowerShell commands using hidden windows or silent continue
PowerShell Invoke-Webrequest
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. The function Invoke-Webrequest can be abused to remotely download script to the local file system for execution. This query can be used to list the commandline downloads. Since this request can be expected for certain workloads in your environment a additional filter is added, to only alert on servers if this executed.
PowerShell No Profile (APT 28)
This query can be used to detect behaviour that APT28 uses in their attacks. The Ukrainian CERT has shared the following commands executed by APT28 which could be detected by this KQL query.
Prioritize Secure Configuration
This query helps you prioritize configuration changes that affect your devices based on the Microsoft Defender TVM modules.
Procdump dumping LSASS credentials
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Process injection by Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Process Primary Token Elevated to SeDebugPrivilege
This query detects when a process's primary token is modified to include `SeDebugPrivilege` (privilege bit 20). `SeDebugPrivilege` grants a process the ability to open and manipulate any other process on the system, regardless of its security descriptor. This privilege is routinely abused by attackers for credential dumping (e.g., accessing LSASS), process injection, and lateral movement. The query uses a bitmask comparison to identify exactly when this privilege is added to a token and enriches the result with file prevalence data to reduce false positives.
Python usage associated with ransomware on macOS
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
Python-based attacks on macOS
This query was originally published in the threat analytics report, *Python abuse on macOS*
Query Execution Statistics
List the query execution statistics for your Log Analytics Workspace, this returns the *UnqiueQueryCount* and the *TotalQueriesExecuted* for each Azure Active Directory User.
Query the installed extensions with the most required permissions
----
Ransom note 'say' alert associated with ransomware on macOS
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
Ransomware Behaviour Kill SQL Processes
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. In this specific case this Threat Hunting query can be used to detect the behaviour that LockBit uses, which is killing SQL related processes via the commandline before deploying ransomware.
RansomwareToolMatrix Defender Lookup
WORK IN PROGRESS
Rare .lnk File Created on Desktop
This query detects rare `.lnk` (shortcut) files created on the desktop of a device. Attackers often place malicious shortcut files on the desktop to trick users into executing malware, or to establish persistence. The query uses the `FileProfile` function to filter out commonly seen files and only surfaces shortcuts with a low global prevalence, making it suitable for hunting uncommon or suspicious shortcut drops.