Identify Microsoft Defender Antivirus detection related to EUROPIUM

Hunt Hypothesis

The hypothesis is that the detection of Microsoft Defender Antivirus activity related to EUROPIUM indicates potential adversarial activity targeting Azure environments. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage compromises by the EUROPIUM actor.

KQL Query

let europium_sigs = dynamic(["BatRunGoXml", "WprJooblash", "Win32/Eagle!MSR", "Win32/Debitom.A"]);  
AlertEvidence 
| where ThreatFamily in~ (europium_sigs) 
| join AlertInfo on AlertId 
| project ThreatFamily, AlertId

Analytic Rule Definition

id: d02275d6-45ba-4ddc-be90-8fa260aebe55
name: Identify Microsoft Defender Antivirus detection related to EUROPIUM
description: |
  This query looks for Microsoft Defender Antivirus detections related to EUROPIUM actor
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertEvidence
tactics:
- Impact
query: |
  let europium_sigs = dynamic(["BatRunGoXml", "WprJooblash", "Win32/Eagle!MSR", "Win32/Debitom.A"]);  
  AlertEvidence 
  | where ThreatFamily in~ (europium_sigs) 
  | join AlertInfo on AlertId 
  | project ThreatFamily, AlertId

Required Data Sources

Sentinel Table	Notes
`AlertEvidence`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Impact

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/EUROPIUM/Identify Microsoft Defender Antivirus detection related to EUROPIUM.yaml)

False Positive Guidance

Scenario: Scheduled Microsoft Defender Antivirus Scan
Description: A routine scheduled scan initiated by Microsoft Defender Antivirus may trigger the rule if it includes the term “EUROPIUM” in its scan configuration or log.
Filter/Exclusion: ProcessCommandLine not contains "EUROPIUM" or EventID != 100 (for scan initiation events)
Scenario: Microsoft Defender Antivirus Update or Signature Download
Description: During an update or signature download, Microsoft Defender may log entries that include the term “EUROPIUM” in its internal logging or event messages.
Filter/Exclusion: EventID not in (100, 102) or ProcessCommandLine not contains "signature" or "update"
Scenario: Admin Task to Quarantine or Remove Malware
Description: An administrator may manually quarantine or remove a file associated with the EUROPIUM actor, which could trigger the rule if the action is logged with related terms.
Filter/Exclusion: ProcessCommandLine contains "quarantine" or "remove" or "delete" or User contains "admin"
Scenario: Microsoft Defender Antivirus Integration with Third-Party Tools
Description: Integration with third-party tools (e.g., Microsoft Defender for Endpoint) may generate logs that include “EUROPIUM” as part of internal processing or reporting.
Filter/Exclusion: ProductName contains "Microsoft Defender for Endpoint" or Source not contains "Microsoft Defender"
Scenario: False Positive from Legacy or Custom Detection Rules
Description: Legacy or custom detection rules within Microsoft Defender may include the term “EUROPIUM” as part of a false positive or outdated rule.
Filter/Exclusion: RuleName not contains "EUROPIUM" or `RuleID not in