EXPLORE DETECTIONS
File creation with WinRAR absolute path transversal exploit, CVE-2018-20250
This query was originally published in the threat analytics report, *WinRAR CVE-2018-20250 exploit*
Find data destruction related to Wadhrama ransomware
This query was originally published in the threat analytics report, *RDP ransomware persists as Wadhrama*.
Find RDP persistance attempts related to Wadhrama ransomware
This query was originally published in the threat analytics report, *RDP ransomware persists as Wadhrama*.
Find user accounts potentially affected by Cobalt Strike
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Find vulnerable Dell driver, dbutil_2_3.sys
This query was originally published in the threat analytics report, *Multiple EOP flaws in Dell driver (CVE-2021-21551)*.
FireEye Red Team tool CVEs [Nobelium]
Search for the CVEs that should be prioritized and resolved to reduce the success of the FireEye Red Team tools compromised by the Nobelium activity group.
FireEye Red Team tool HASHs [Nobelium]
This query searches for the HASHs of the FireEye Red Team tools compromised by the Nobelium activity group.
Get an inventory of SolarWinds Orion software possibly affected by Nobelium
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Hiding a Java class file
This query was originally published in the threat analytics report, *Adwind utilizes Java for cross-platform impact*.
Identify accounts that have logged on to endpoints affected by Cobalt Strike
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*.
Image File Execution Options and .bat file usage in association with Wadhrama ransomware
This query was originally published in the threat analytics report, *RDP ransomware persists as Wadhrama*.
Java process executing command line to download and execute PowerShell script
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Javascript use by Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Kinsing miner download
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Launching questd ransomware using osascript
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
Locate Nobelium implant receiving DNS response
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Locate Nobelium implant receiving DNS response
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Locate Nobelium-related malicious DLLs created in the system or locally
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Locate Nobelium-related malicious DLLs loaded in memory
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Locate Shlayer payload decryption activity
This query was originally published in the threat analytics report, *OSX/Shlayer sustains adware push*.
Locate Shlayer payload decryption activity
This query was originally published in the threat analytics report, *OSX/Shlayer sustains adware push*.
Locate SolarWinds processes launching command prompt with the echo command
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Locate SolarWinds processes launching suspicious PowerShell commands
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Mail.Read or Mail.ReadWrite permissions added to OAuth application
This query will find applications that have been granted Mail.Read or Mail.ReadWrite permissions in which the corresponding user recently consented to. It can help identify applications that have been abused to gain access to user email.