EXPLORE DETECTIONS
MailItemsAccessed throttling [Nobelium]
The MailItemsAccessed action is part of the new Advanced Audit functionality of Microsoft 365 Defender. It's part of Exchange mailbox auditing and is enabled by default for users that have an Office 365 or Microsoft 365 E5 license, or for organizations with a Microsoft 365 E5 Compliance add-on subscription.
New access credential added to application or service principal
This query will find when a new credential is added to an application or service principal.
Nobelium campaign DNS pattern
This query looks for the DGA pattern of the domain associated with the Nobelium campaign, in order to find other domains with the same activity pattern.
Nobelium encoded domain in URL
Looks for a logon domain in the Azure AD logs, encoded with the same DGA encoding used in the Nobelium campaign.
OAuth apps accessing user mail via GraphAPI [Nobelium]
This query helps you review all OAuth applications accessing user mail via Graph. It could return a significant number of results depending on how many applications are deployed in the environment.
OAuth apps reading mail via GraphAPI and directly [Nobelium]
As described in [previous guidance](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/), Nobelium may re-purpose legitimate existing OAuth Applications in the environment to their own ends. However, malicious activity patterns may be discernable from legitimate ones.
OAuth apps reading mail via GraphAPI anomaly [Nobelium]
Use this query to review OAuth applications whose behaviour has changed as compared to a prior baseline period. The following query returns OAuth Applications accessing user mail via Graph that did not do so in the preceding week.
Office applications launching wscript.exe to run JScript
This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*.
Oracle WebLogic process wlsvcX64.exe exploitation and execution of PowerShell script to download payloads
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Outlook email access by campaigns using Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Powercat exploitation tool downloaded
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Procdump dumping LSASS credentials
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Process injection by Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Python usage associated with ransomware on macOS
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
Python-based attacks on macOS
This query was originally published in the threat analytics report, *Python abuse on macOS*
Ransom note 'say' alert associated with ransomware on macOS
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
Registry edits by campaigns using Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Remote code execution on vulnerable server
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Return backup files deletion events
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Reverse shell associated with ransomware on macOS
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Self-deletion by Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
ServicePrincipalAddedToRole [Nobelium]
One of the indicators of compromise for the Nobelium (formerly Solorigate) campaign was that unexpected service principals have been added to privileged roles. This query looks for service principals that have been added to any role.
SQL Server abuse
This query was originally published in the threat analytics report, **SQL Server abuse**.