EXPLORE DETECTIONS
Detect malicious use of RegAsm, RegSvcs, and InstallUtil by Snip3
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
Detect nbtscan activity
This query was originally published in the threat analytics report, *Operation Soft Cell*.
Detect Office products launching wmic.exe
This query was originally published in the threat analytics report, *Ursnif (Gozi) continues to evolve*.
Detect potentially malicious .jse launch by File Explorer or Word
This query was originally published in the threat analytics report, *Emulation-evading JavaScripts*.
Detect potentially unwanted activity from ironSource bundlers
This query was originally published in the threat analytics report, *ironSource PUA & unwanted apps impact millions*.
Detect PsExec being used to spread files
This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).
Detect rundll.exe being used for reconnaissance and command-and-control
This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*.
Detect security evasion related to the Robbinhood ransomware campaign
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Detect Snip3 associated communication protocols
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
Detect Snip3 loader call to DetectSandboxie function
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
Detect Snip3 loader-encoded PowerShell command
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
Detect suspicious commands initiated by web server processes
This query was originally published in the threat analytics report, *Operation Soft Cell*.
Detect suspicious Mshta usage
This query was originally published in the threat analytics report, *Ursnif (Gozi) continues to evolve*.
Detect suspicious RDP activity related to BlueKeep
This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*.
Detect use of Alternate Data Streams
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Detect web server exploitation by DoublePulsar
This query was originally published in the threat analytics report, *Motivated miners*.
Detecting a JAR attachment
This query was originally published in the threat analytics report, *Adwind utilizes Java for cross-platform impact*.
Detects malicious SMB Named Pipes (used by common C2 frameworks)
Detects the creation of a [named pipe](https://docs.microsoft.com/en-US/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c) used by known APT malware.
Discovering potentially tampered devices [Nobelium]
To evade security software and analyst tools, Nobelium malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them.
Domain federation trust settings modified
This query will find when federation trust settings are changed for a domain or when the domain is changed from managed to federated authentication. Results will relate to when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added.
Exchange PowerShell snap-in being loaded
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Exchange Server IIS dropping web shells and other artifacts
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Exchange vulnerability creating web shells via UMWorkerProcess
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Exchange vulnerability launching subprocesses through UMWorkerProcess
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".