EXPLORE DETECTIONS
Suspicious Browser Child Process
This detection detects when a browser has a suspicious child process, this child process can execute/install commands and is often used to install malware on systems.
Suspicious Directory Sync Account Sign ins
This query detects suspicious sign-ins to on-premises directory sync account
Suspicious enumeration using Adfind tool
Attackers can use Adfind which is administrative tool to gather information about domain controllers or ADFS servers. They may also rename executables with other benign tools on the system.
Suspicious Explorer Child Process
This detection detects when explorer has suspicious child process and the commandline contains suspicious parameters, this child process can execute/install commands and is often used to install malware on systems.
Suspicious File Extension Upload to Office 365
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/MDA/SuspiciousFileExtensions.txt"] with (format="txt", ignoreFirstRecord=False);
Suspicious MSBuild Remote Thread
Adversaries may use MSBuild.exe to execute/build code through a trusted windows lolbin. In this specific scenario a suspicious MSBuild remote threat is created which indicates Command & Control traffic or Reverse Shell activities.
Suspicious RUNMRU Entry
This query should be implemented as custom detection, it triggers once a Suspicious Windows RUNMRU entry found on a device. These RUNMRU entries are one of the key indicators for ClickFix.
Task creation associated with privilege escalation vulnerability, CVE-2019-0808
This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*
Temporary Email Addresses
raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/tempmail-abused%20emaildomains.txt'] with (format=csv, ignoreFirstRecord=False);
The art of Knowing Your SIEM & XDR Data
This learning section was part of the Demo for ExpertsLive Netherlands 2024.
Threat Hunting Cisco Yanluowang Ransomware IOCs
Actor: Yanluowang
Threat Hunting for inbound connections from malicious IPs on internet facing devices
This query leverages the internet-facing property in Defender For Endpoint logs. This information is enriched with Threat Intelligence IP information to find inbound connections on public-facing devices from suspicious IP addresses. The query only lists results if the port that is used matches the port that is open on the device. In this scenario IPSums level 4 is used, to reduce the false positive number, you could use higher levels:
Threat Hunting for telegram as a Commmand & Control channel
Telegram can be used as a C2 channel, this can be done by leveraging the Telegram API. Multiple actors have used this in the wild, also for exfiltration methods (see references). With this detection rule we focus on the api if telegram (api.telegram.org).
Threat Hunting Nighthawk RAT
IOC Source: https://raw.githubusercontent.com/fboldewin/YARA-rules/master/nighthawk.yar
Threat Intelligence Threat Types
The query can be used to visualize the different threat types you get from the MDTI connector to Sentinel. Some examples coult be botnet, phishing, MaliciousUrl or from a watchlist. This query can only be used in Sentinel.
Threatview Domain High Confidence Feed
```KQL
Threatview IP High Confidence Feed
```KQL
TLD by Count for DeviceNetworkEvents
Remove start and end of URL
Tomcat 8 process executing PowerShell command line to perform data exploitation activities and setting up scheduler tasks.
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Top 10 devices with the most exploitable vulnerabilities
This query lists the 10 devices in your tenant with the most exploitable vulnerabilities.
Top 10 users with the most ips used to succesfully sign in
Collect the top 10 user with the most IP used to succefully sign in to a tenant. This query displays the 10 users that have used the most IP addresses so sign in.
Top 100 critical browser extensions with the most permissions required
----
Top 100 devices with the most browser extensions installed
----
Top 100 users that have the most interactive sign ins
Visualize the top 100 users that have performed the most interactive sign ins.