EXPLORE DETECTIONS
Tomcat 8 process executing PowerShell command line to perform data exploitation activities and setting up scheduler tasks.
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Top 10 devices with the most exploitable vulnerabilities
This query lists the 10 devices in your tenant with the most exploitable vulnerabilities.
Top 10 users with the most ips used to succesfully sign in
Collect the top 10 user with the most IP used to succefully sign in to a tenant. This query displays the 10 users that have used the most IP addresses so sign in.
Top 100 critical browser extensions with the most permissions required
----
Top 100 devices with the most browser extensions installed
----
Top 100 users that have the most interactive sign ins
Visualize the top 100 users that have performed the most interactive sign ins.
Top N Accounts Longest Period Without Password Reset
List the top N (based on *LatestNChanges*) with the longest time between now and their last password reset. While password expiration requirements do more harm than good it is still recommended to take a look at the accounts from which the password has not changed for years. This is due to the changes in the password policy, if the policy has been changed after the latest password change of that account is it likely that the account does not adhere to the currenct password policy. Every next password policy is in most cases an improvement, therefore it is expected that accounts that have not changed their password after the latest policy update do not meet the current complexity requirements.
Tor Connections
While Tor has legitimate uses for protecting personal privacy and circumventing censorship, it is often unwanted that connections are being made to Tor nodes. Detecting connections to Tor nodes can be done using the dynamic IP list of Tor nodes provided by [dan.me.uk](https://www.dan.me.uk/), this will allow you to query the most recent nodes each time the query is executed.
Total Device Risk Score
Scoring for the CVEs
Total Events by Table
This query returns a table that shows the number of events for each data table that occurred in the last 30 days. This can returns information about the totalevens in all your Sentinel tables. Since you probably ingest more in Sentinel than you know, this query can result in discovering 'new' data sources to investigate.
Total SMB Sessions Created by a suspicious device
Total SMB Sessions Created by a suspicious device
Total SMB Sessions Created by FileName
Total SMB Sessions Created by FileName
Total Succesful Sign-Ins by Browser
This query lists all the different browsers that are used to succesfully sign in to your Entra ID Tenant. This could be used to detect rare browsers that are used to sign into your tenant.
Total Succesful Sign-Ins by Operating System
This query can be used to detect rare operating systems that are used to sign into your tenant. For example your company only has Windows company devices and you have sign ins with MacOS, those can ben intersting to investigate.
Total vulnerable devices for known exploited vulnerabilities from CISA
----
Triggers when a know ransomware note is found
This query triggers when a known ransomware note is found.
Triggers when a known ransomware extension has been found
This query triggers when a file with a known ransomware extension has been found.
Triggers when a remote public SBM connection has been found
Triggers when a remote public SBM connection has been found
Triggers when a user performs a SmartScreen Override action
This query lists all SmartScreen override related events.
TrustedInstaller Abuse Detection
This query detects attempts to become TrustedInstaller
TTP Detection Rule: Abusing PowerShell to disable Defender components
Detection opportunity: Abusing PowerShell to disable Defender components
TTP Detection Rule: Check for Phishing Emails Using IPFS in Phishing Campaigns
This detection rule focuses on identifying phishing emails that potentially use the InterPlanetary File System (IPFS) to host malicious content. The usage of IPFS in phishing campaigns is a sophisticated technique as it can bypass conventional security measures. The rule involves checking for subsequent connections to IPFS-hosted sites, which could indicate the execution of a phishing attack utilizing this decentralized file hosting system.
TTP Detection Rule: NetSupport running from unexpected directory (FIN7)
Detection opportunity: NetSupport running from unexpected directory
TTP Detection Rule: PowerShell -encodedcommand switch
Detection opportunity 4: PowerShell -encodedcommand switch