EXPLORE DETECTIONS
Detect BlueKeep exploitation attempts
This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*.
Detect BlueKeep-related cryptocurrency mining
This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*.
Detect cipher.exe deleting data
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Detect clearing of system logs
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Detect Cobalt Strike invoked via WMI
This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).
Detect command-and-control communication related to BlueKeep cryptomining
This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*.
Detect credential theft via SAM database export by LaZagne
This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).
Detect CVE-2018-15982 exploit used to extract file from malicious RAR archive
This query was originally published in the threat analytics report, *CVE-2018-15982 exploit attacks*.
Detect CVE-2019-0863 (AngryPolarBearBug2) exploit
This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.
Detect CVE-2019-0973 (InstallerBypass) exploit
This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.
Detect CVE-2019-1053 (SandboxEscape) exploit
This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.
Detect CVE-2019-1069 (BearLPE) exploit
This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.
Detect CVE-2019-1129 (ByeBear) exploit
This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.
Detect DoppelPaymer operators dumping credentials with ProcDump
This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
Detect DoppelPaymer operators spreading files with PsExec
This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
Detect DoppelPaymer operators stopping services
This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
Detect DoppelPaymer performing reconnaissance with net.exe
This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
Detect DoublePulsar execution
This query was originally published in the threat analytics report, *Motivated miners*.
Detect exploitation of the Internet Explorer remote code execution vulnerability, CVE-2018-8653
This query was originally published in the threat analytics report, *CVE-2018-8653 scripting engine vulnerability*.
Detect keywords associated with Snip3 campaign emails
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
Detect loading of vulnerable drivers by Robbinhood ransomware campaign
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Detect malicious documents associated with group known as "OceanLotus"
This query was originally published in a threat analytics report about the group known to other security researchers as *APT32* or *OceanLotus*
Detect malicious network activity associated with group known as "OceanLotus"
This query was originally published in a threat analytics report about the group known to other security researchers as *APT32* or *OceanLotus*
Detect malicious use of Msiexec
This query was originally published in the threat analytics report, *Msiexec abuse*.