EXPLORE DETECTIONS

Crowdstrike Impersonation during Global Outage

Admins will never forget this one

Cryptocurrency Domain Detection

This query detects network connections to known cryptocurrency domains

Custom Detection Deletion

This query lists all the custom detections that have been deleted in Defender For XDR. The information is available in the *CloudAppEvents* table. This allows you to audit custom detection rule deletions and alert on deletion activities (from unknown users).

Custom Detection Disabled

This query lists all the custom detections that have been disabled in Defender For XDR. The information is available in the *CloudAppEvents* table. This allows you to audit custom detection rule status changed and alert on disable activities (from unknown users).

Custom Detection Report for Microsoft Defender

Reporting on detection rules, especially custom ones, is a key function for any decent Detection Engineering team. This query attempts to track all the (latest) actions performed around custom detections for Defender For Endpoint/XDR. That includes creation/deletion and modifications. The information is available in the *CloudAppEvents* table. The query can also be used to track already created rules (more below).

Custom IOC Block Events

This query monitors for custom blocks from MDE Indicators (Hash, Certificate, URL)

CVE Check with Software Evidence

Cypherpunk remote execution through PSEXESVC

This query was originally published in the threat analytics report, *Cypherpunk ransomware leaves wake of tampered AVs*.

Cypherpunk remote execution through PSEXESVC

This query was originally published in the threat analytics report, *Cypherpunk ransomware leaves wake of tampered AVs*.

Database Disovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Databases are a particular interest to the adversaries because they might contain sensitive data, which is valuable. This detection uses a subset of common ports that are used by a variety of database services. The threshold in the detection can be adjusted to fill your needs. Additionally, there is a list with benign devices that are allowed to connect to multiple database servers, you can add them yourself.

Defender -RedSun Detection - NamedPipe Detection

https://github.com/Nightmare-Eclipse/RedSun

Defender -RedSun Detection - NamedPipe Detection Correlated to AntiVirus Detection

https://github.com/Nightmare-Eclipse/RedSun

Defender -RedSun Detection - TieringEngineService created in AppData

https://github.com/Nightmare-Eclipse/RedSun

Defender AV Exclusion Events

This query detects attempts to add exclusions to Microsoft Defender via PowerShell commands such as `Add-MpPreference` or `Set-MpPreference`. Attackers frequently add exclusions to Defender to allow their malicious tools to run without being detected. The query covers both direct command-line executions and PowerShell script-based executions captured via `DeviceEvents`.

Defender For Endpoint Offboarding Package Downloaded

This query lists when a Defender For Endpoint offboarding package has been downloaded. Defender For Endpoint offboarding packages are considered tier0, because this allows you to remove security tooling from devices. (Local) Administrator permissions are needed to execute the proces and successfully ofboard devices.

Defender IOC Warning Bypass or Monitor Mode MDA bypass

logs when users click past a warning given by MDE. This can be from MDE IOCs or MDA which creates MDE IOCs in the background

Defender XDR Custom Detection Modifications

Defense Evasion Alerts Generated by Defender For Endpoint

This query lists the Defense Evasion Alerts Generated by Defender For Endpoint.

Deletion Conditional Access Policy

This KQL query lists all conditional access policies that have been deleted. The modification of authentication processes can be used to create persistence on an cloud account.

Detect .ace files associated with WinRAR absolute path transversal exploit, CVE-2018-20250

This query was originally published in the threat analytics report, *WinRAR CVE-2018-20250 exploit*

Detect .jse file creation events

This query was originally published in the threat analytics report, *Emulation-evading JavaScripts*.

Detect activity associated with malicious DLL, cyzfc.dat

These queries was originally published in the threat analytics report, *Attacks on gov't, think tanks, NGOs*.

Detect activity by the penetration tool, MailSniper

This query was originally published in the threat analytics report, *MailSniper Exchange attack tool*.

Detect anomalous process trees

This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level.