EXPLORE DETECTIONS

The query below uses the *GraphAPIAuditEvents* to collect potential AzureHound executions. This is done by filtering on GET requests with status 200 since AzureHound is a collector is submits GET requests to retrieve the data. Furthermore, statistics are applied to count the number of bytes retrieved and how many unique requests have been executed within the timeframe of one hour. Lastly, the stats are compared against the thresholds, if the results are bigger than the thresholds the results are returned and your analysis can begin. These thresholds depend on the size of your Entra ID tenant. My test environment has a limited set of accounts, thus the total amount of unique requests is limited. If your organisation has more than 1000 users, the *UniqueRequestThreshold* can easily be set above 5000.

T1087.004T1069.003T1087T1069

KQL

AzureHound Detection

The query below uses the *MicrosoftGraphActivityLogs* to collect potential AzureHound executions. This is done by filtering on GET requests with status 200 since AzureHound is a collector is submits GET requests to retrieve the data. Furthermore, statistics are applied to count the number of bytes retrieved and how many unique requests have been executed within the timeframe of one hour. Lastly, the stats are compared against the thresholds, if the results are bigger than the thresholds the results are returned and your analysis can begin. These thresholds depend on the size of your Entra ID tenant. My test environment has a limited set of accounts, thus the total amount of unique requests is limited. If your organisation has more than 1000 users, the *UniqueRequestThreshold* can easily be set above 5000.

T1087.004T1069.003T1087T1069

KQL

Backdoor associated with privilege escalation vulnerability, CVE-2019-0808

This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*

KQL

Base64-encoded Nishang commands for loading reverse shell

This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".

KQL

BazaCall dropping payload via certutil.exe

BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader.

KQL

BazaCall Excel file download domain pattern

KQL

Big Yellow Taxi - SignIn Based

The Big Yellow Taxi detections are based on the compromise of the state department in 2023. The following information was shared: State Department was the first victim to discover the intrusion when, on June 15, 2023, State’s security operations center (SOC) detected anomalies in access to its mail systems. The next day, State observed multiple security alerts from a custom rule it had created, known internally as “Big Yellow Taxi,” that analyzes data from a log known as MailItemsAccessed, which tracks access to Microsoft Exchange Online mailboxes.

T1114

KQL

BlockList Project DeviceNetworkEvents

raw.githubusercontent.com/blocklistproject/Lists/master/porn.txt"] with (format="csv", ignoreFirstRecord=False)

KQL

BloodHound Detection

This query detects the use of bloodhound based on the processes it creates. This detection is based on Threat Report by RedCanary.

KQL

Bring Your Own Minifilter - EDR Bypass

Detect Bring your own minifilter to bypass EDR.

KQL

Browser cookie theft by campaigns using Qakbot malware

This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*

KQL

Browser Domains - DeviceNetworkEvents

raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Browser%20IOCs.csv"] with (format="csv", ignoreFirstRecord=True);

KQL

Browser Extension Downloads using DeviceFileEvents

raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Intune/Intune%20Browser%20Extension_IDs_the_user_should_be_prevented_from_installing.csv'] with (format=txt);

KQL

CA Application SignIn Failures

This KQL query lists all applications that trigger failed signin requests due to conditional access failures. This can indicate that a certain policy is not well configured and need to be changed in order for accounts to be able to access the application. On the other hand it can also be that the failed signins are valid credentials that adversaries have obtained and they are used to try and gain acces to certain applications in your environment. The CA policy will only block if the previous authentication requirements have already been met (e.g. username + password (+mfa)).

T1078.004T1078

KQL

CA User SignIn Failures

This KQL query lists all users that trigger failed signin requests due to conditional access failures. This can indicate that a certain policy is not well configured and need to be changed in order for accounts to be able to access the application. On the other hand it can also be that the failed signins are valid credentials that adversaries have obtained and they are used to try and gain acces to certain applications in your environment. The CA policy will only block if the previous authentication requirements have already been met (e.g. username + password (+mfa)). It can be beneficial to understand why certain users trigger a large amount of CA policies, either their credentials are leaked/stolen or they do not follow the right procedures to access the cloud environment.

T1078.004T1078

KQL

Certutil Remote Download

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols. The living of the land binary certutil is know to be misused by adversaries to remotely collect malicious tools.

T1218T1105

KQL

PreviousPage 3 of 25Next