EXPLORE DETECTIONS
Rclone Copy Process Args
Any use of rclone should be heavily scrutinzed in the environment. It is a common binary to see attackers use to get data out
Registry edits by campaigns using Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Remote code execution on vulnerable server
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Remote Image Loads
This query can be used to summarize the remote image loads to a (potentially) compromised domain.
Remote Image Loads
This query can be used to summarize the remote image loads to a (potentially) compromised domain.
Remote Management Tools (RMM) - DeviceNetworkEvents Domains
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/RMM.csv"] with (format="csv", ignoreFirstRecord=True);
Removal of Roles Post GDAP relationship ending
Removal of roles after Granular admin relationship has ended
Request an actor token for graph.windows.net using Service to Service (S2S)
Ref: https://i.blackhat.com/BH-USA-25/Presentations/US-25-Mollema-Advanced-AD-to-Entra-ID-lateral-movement-techniques-Wednesday.pdf
Resource Lock Deletion for Azure Monitor Rule
Attempts to Delete Resource Locks on Azure Monitor Rules for a particular subscription and Resource group. KQL from https://www.linkedin.com/pulse/main-reason-you-shouldnt-exclude-break-glass-group-access-kerai-4dtve/
Return backup files deletion events
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Reverse shell associated with ransomware on macOS
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Risk Based Step Up Consent (RBSU) for Application
Risk Based Step up flow to Admin Flow. This will log even if the permissions being requested are already admin consentable.
Risky Sign-in Keyword Search (CISA)
Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
RMM Tools with connections
This query used the [LOLRMM](https://lolrmm.io/) API to fetch all filenames related to RMM tools. Based on the executable filenames it looks into all the *DeviceNetworkEvents* to find RMM tools that have made successful connections, indicating that the tool is used within your environment.
Role Report
This query can be used to draw an report of the Entra ID role memberships for all users.
ROSTI (Repackaged Open Source Intelligence) MDE File Events IOC Hits
Looks for SHA256 hits from the ROSTI Feed
ROSTI (Repackaged Open Source Intelligence) MDE Network Events IOC Hits
Looks for Network Traffic hits from the ROSTI Feed
Safe Links Email URL Block Trigger
This query lists the emails that have triggered a URL block by safelinks. This is done by collecting the safelinks logs where the action is ClickBlocked and then joining the email events to collect the information about the mail that was send. The URL click of the user will also generate a indincident itself, this enriches the information required to investigate this incident.
Safeboot Registry Modification Detection
This query detects modifications to safeboot registry keys
Scheduled Tasks from AppData Created or Updated
This query detects scheduled tasks that are created or updated with executables or scripts located in the `AppData` directory (including `%localappdata%` and `%appdata%`). This is a common technique used by malware and attackers to persist on a system without requiring administrative privileges. OneDrive-related tasks are excluded as a known false positive.
Security Alerts triggered by users at risk
This query identifies the users that are currently at risk. Based on that it performs a lookup on the security alerts that have been triggered with that user as entity. This can indicate that a useraccount has been compromised, because it has peformed risky sign in activities as well as malicious activities defined by security products or custom detection rules.
Security Copilot Agent Deleted
When an agent is removed from Entra, the agentic user behind the identity is also removed
Self-deletion by Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*