EXPLORE DETECTIONS
Detect attempts to turn off System Restore
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Detect BlueKeep exploitation attempts
This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*.
Detect BlueKeep-related cryptocurrency mining
This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*.
Detect cipher.exe deleting data
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Detect clearing of system logs
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Detect Cobalt Strike invoked via WMI
This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).
Detect command-and-control communication related to BlueKeep cryptomining
This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*.
Detect credential theft via SAM database export by LaZagne
This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).
Detect CVE-2018-15982 exploit used to extract file from malicious RAR archive
This query was originally published in the threat analytics report, *CVE-2018-15982 exploit attacks*.
Detect CVE-2019-0863 (AngryPolarBearBug2) exploit
This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.
Detect CVE-2019-0973 (InstallerBypass) exploit
This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.
Detect CVE-2019-1053 (SandboxEscape) exploit
This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.
Detect CVE-2019-1069 (BearLPE) exploit
This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.
Detect CVE-2019-1129 (ByeBear) exploit
This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.
Detect DoppelPaymer operators dumping credentials with ProcDump
This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
Detect DoppelPaymer operators spreading files with PsExec
This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
Detect DoppelPaymer operators stopping services
This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
Detect DoppelPaymer performing reconnaissance with net.exe
This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
Detect DoublePulsar execution
This query was originally published in the threat analytics report, *Motivated miners*.
Detect Executable Files in C:\ProgramData
This query detects rare Executable files that are created in the folder C:\ProgramData\* and all the subfolders. It is not common that executable files are created in this folder and therefore the file creations should be investigated. An attacker can use those folders to
Detect Executable Files in C:\Users\Public*
This query detects rare Executable files that are created in the folder C:\Users\Public and all the subfolders. It is not common that executable files are created in this folder and therefore the file creations should be investigated. An attacker can use those folders to
Detect exploitation of the Internet Explorer remote code execution vulnerability, CVE-2018-8653
This query was originally published in the threat analytics report, *CVE-2018-8653 scripting engine vulnerability*.
Detect keywords associated with Snip3 campaign emails
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
Detect loading of vulnerable drivers by Robbinhood ransomware campaign
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).