EXPLORE DETECTIONS
Potential User Signed into Edge Browser From Unmanaged or Unregistered Device
Successes only
Potentially Ungoverned AI Domains such as chatgpt
This Query looks for usage of ungoverned AI Usage by using DeviceNetworkEvents
Potentially Unsanctioned Application Usage
This query looks for application names that may be unwanted using Process Name in DeviceProcessEvents. Searching by name is limited but can be fast for a quick check
Powercat exploitation tool downloaded
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
PowerShell Defensive Evasion Detection
This query detects PowerShell commands using hidden windows or silent continue
PowerShell Invoke-Webrequest
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. The function Invoke-Webrequest can be abused to remotely download script to the local file system for execution. This query can be used to list the commandline downloads. Since this request can be expected for certain workloads in your environment a additional filter is added, to only alert on servers if this executed.
PowerShell No Profile (APT 28)
This query can be used to detect behaviour that APT28 uses in their attacks. The Ukrainian CERT has shared the following commands executed by APT28 which could be detected by this KQL query.
Prioritize Secure Configuration
This query helps you prioritize configuration changes that affect your devices based on the Microsoft Defender TVM modules.
Procdump dumping LSASS credentials
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Process injection by Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Process Primary Token Elevated to SeDebugPrivilege
This query detects when a process's primary token is modified to include `SeDebugPrivilege` (privilege bit 20). `SeDebugPrivilege` grants a process the ability to open and manipulate any other process on the system, regardless of its security descriptor. This privilege is routinely abused by attackers for credential dumping (e.g., accessing LSASS), process injection, and lateral movement. The query uses a bitmask comparison to identify exactly when this privilege is added to a token and enriches the result with file prevalence data to reduce false positives.
Python usage associated with ransomware on macOS
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
Python-based attacks on macOS
This query was originally published in the threat analytics report, *Python abuse on macOS*
Query Execution Statistics
List the query execution statistics for your Log Analytics Workspace, this returns the *UnqiueQueryCount* and the *TotalQueriesExecuted* for each Azure Active Directory User.
Query the installed extensions with the most required permissions
----
Ransom note 'say' alert associated with ransomware on macOS
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
Ransomware Behaviour Kill SQL Processes
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. In this specific case this Threat Hunting query can be used to detect the behaviour that LockBit uses, which is killing SQL related processes via the commandline before deploying ransomware.
RansomwareToolMatrix Defender Lookup
WORK IN PROGRESS
Rare .lnk File Created on Desktop
This query detects rare `.lnk` (shortcut) files created on the desktop of a device. Attackers often place malicious shortcut files on the desktop to trick users into executing malware, or to establish persistence. The query uses the `FileProfile` function to filter out commonly seen files and only surfaces shortcuts with a low global prevalence, making it suitable for hunting uncommon or suspicious shortcut drops.
Rclone Copy Process Args
Any use of rclone should be heavily scrutinzed in the environment. It is a common binary to see attackers use to get data out
Registry edits by campaigns using Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Remote code execution on vulnerable server
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Remote Image Loads
This query can be used to summarize the remote image loads to a (potentially) compromised domain.
Remote Image Loads
This query can be used to summarize the remote image loads to a (potentially) compromised domain.