EXPLORE DETECTIONS
Detect malicious documents associated with group known as "OceanLotus"
This query was originally published in a threat analytics report about the group known to other security researchers as *APT32* or *OceanLotus*
Detect malicious network activity associated with group known as "OceanLotus"
This query was originally published in a threat analytics report about the group known to other security researchers as *APT32* or *OceanLotus*
Detect malicious use of Msiexec
This query was originally published in the threat analytics report, *Msiexec abuse*.
Detect malicious use of RegAsm, RegSvcs, and InstallUtil by Snip3
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
Detect nbtscan activity
This query was originally published in the threat analytics report, *Operation Soft Cell*.
Detect net(1).exe Discovery Activities
This query can be used to detect suspicious net.exe or net1.exe activities that have been executed by a account. The parameters that are to detect this behaviour are:
Detect new RDP connections
Detect new RDP connections to devices that have not been established in the past 20 days
Detect Office products launching wmic.exe
This query was originally published in the threat analytics report, *Ursnif (Gozi) continues to evolve*.
Detect potential ConsentFix OAuth authorisation code theft attempts
Query from https://sentinel.blog/consentfix-securing-your-tenant-against-oauth-authorisation-code-theft/
Detect potentially malicious .jse launch by File Explorer or Word
This query was originally published in the threat analytics report, *Emulation-evading JavaScripts*.
Detect potentially unwanted activity from ironSource bundlers
This query was originally published in the threat analytics report, *ironSource PUA & unwanted apps impact millions*.
Detect PsExec being used to spread files
This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).
Detect rundll.exe being used for reconnaissance and command-and-control
This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*.
Detect security evasion related to the Robbinhood ransomware campaign
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Detect SMB File Copies
Adversaries can use SMB to upload files to remote shares or to interact with files on those shares. A common technique is to upload malcious to remote host. This query detects all SMB file copies. In order to run the query effectively add the benign accounts the the whitelist.
Detect Snip3 associated communication protocols
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
Detect Snip3 loader call to DetectSandboxie function
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
Detect Snip3 loader-encoded PowerShell command
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
Detect suspicious commands initiated by web server processes
This query was originally published in the threat analytics report, *Operation Soft Cell*.
Detect suspicious Mshta usage
This query was originally published in the threat analytics report, *Ursnif (Gozi) continues to evolve*.
Detect suspicious RDP activity related to BlueKeep
This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*.
Detect the use of a new Sysinternal tool
Detect the use of a new Sysinternal tool that has not been used in the last 90 days (in the case of Defender XDR 30 days).
Detect Tor DNS request
Credit: Suraj Kumar. Modified from his query
Detect use of Alternate Data Streams
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).