├── ASRDetections
├── AsrAdobeReaderChildProcessAuditedDetectionRule.md
├── AsrExecutableEmailContentAuditedDetectionRule.md
├── AsrLsassCredentialTheftAuditedQuery.md
├── AsrOfficeChildProcessAuditedQuery.md
├── AsrOfficeMacroWin32ApiCallsAuditedDetecitonRule.md
├── AsrOfficeProcessInjectionAuditedQuery.md
├── AsrPsexecWmiChildProcessAuditedQuery.md
├── AsrUntrustedExecutableAuditedQuery.md
├── AsrUntrustedUsbProcessAuditedDetectionRule.md
├── AsrVulnerableSignedDriverAuditedQuery.md
├── AsrWebShellOnServerAuditedQuery.md
└── Readme.md
├── C2
├── C2IntelFeedsIPs.KQL
├── C2IntelFeedsdomain.KQL
├── CSSacricialProcesses.KQL
├── CertReq.KQL
├── CloudflaredArgoTunnelDNS.md
├── FreeSSL.KQL
├── GoSimpleTunnel.KQL
├── GoogleSheetsC2Query.md
├── MaliciousJA3Fingerprint.kql
├── PlinkTunnelingForwarding.kql
├── PowerShellPossibleC2Connection.md
├── SliverPSexec.kql
├── SuspiciousNSLookup.kql
├── Telegraminfostealers.kql
└── devtunnel
│ ├── DevTunnelFileEvents.md
│ ├── DevTunnelnetworkdetection.md
│ ├── DevtunnelRegistry.md
│ └── Devtunnelcodetunneling.md
├── Collection
├── AdfindDetection.md
├── BloodHoundGeneratedfiles.kql
├── PowerShellKeyLogging.kql
└── WinrarEncryption.kql
├── Credential Access
├── Msbuild.kql
├── NTDSDump.kql
├── RegSamDumping.kql
└── SBMNTLM.kql
├── Defense Evasion
├── ADSRootProcessCreation.kql
├── ADSrootDirectoryFileCreation.kql
├── CoralRaiderMSHTAPowershell.KQL
├── DefenderExclusion.KQL
├── DefenderLocalOverride.kql
├── EDRSandblast.md
├── EventLogTamperingRegistry.md
├── Peaklightinfection.md
├── Rundllwithoutcommandline.KQL
├── Vssadmindelete.kql
└── rnpkeysDllHijack.md
├── Discovery
├── EnumerationShortperiod.kql
└── RundllSuspicious.KQL
├── Execution
├── CSCSuspiciousExecutions.kql
├── DiscordDriveby.KQL
├── DismLinuxSubsystem.KQL
├── EmailAttachmentExecuted.kql
├── LatrodectusFileCreation.md
├── MSHTAExecutions.KQL
├── MaliciousNamedPipes.KQL
├── MicrosoftWorkflowCompiler.kql
├── MusciFolderExecution.KQL
├── NodeJSSuspiciousExecutions.md
├── OfficeSmartScreen.KQL
├── OneNoteZeroday.kql
├── PSexecNamedPipe.KQL
├── PowershellDLLexecutions.KQL
├── PowershellSuspiciousStrings.kql
├── PowershellV2Downgrade.KQL
├── SuccesfullExploitationofPDFreaders.kql
├── Suspicious CLFS Driver Load.md
├── SuspiciousMMC.kql
├── SuspiciousMSC.KQL
├── SuspiciousPDQDeployRunnerChild.KQL
├── SuspiciousServiceInstalled
├── UnsginedExecutionsfromuserdirectories.md
├── WMISBMExec.KQL
├── WebDavTempFiles.KQL
├── WebdavExecution.kql
├── Winexe
│ ├── NamedPipeDetection.KQL
│ └── ServinceInstall.KQL
└── gpresult.kql
├── Exfiltration
├── Anydesk
│ └── Readme
├── BlackSuitbublupexfil.md
├── ExportMailbox.KQL
├── FreeSSLProviders.KQL
├── Rclone
│ ├── RcloneFileProperties.kql
│ ├── RcloneMSThreatReport.kql
│ └── Rcloneconfigfile.kql
├── RemoteAdminCerts.KQL
└── SimonThatamC2Putty.KQL
├── Exploit
└── SuspiciousMSIExecRRobin.KQL
├── Initial Acccess
├── ISOIMGMount.KQL
├── MacroTrustrecords.kql
└── SuspiciousSQLChildren.KQL
├── LICENSE
├── Lateral Movement
└── 7ZToSMBshare.md
├── Linux
├── BPFKprobe.md
├── Base64Shebang.md
├── ChattrImmutableRemoval.md
├── CryptoMiningDetection.kql
├── DoasConfFileCreation.md
├── Getcapdetection.md
├── Linuxwebshell.md
├── PtraceDetected.md
├── ShadowFileModified.md
├── ShadowPasswdcopytosuspiciouslocation.md
├── Sudoers.dFileCreation.md
├── SudoersFileEnumeration.md
├── TripleCrosseBPFRootkit.md
├── XclipExecutions.kql
└── ectprofilesuspiciousscripts.md
├── MacOS
├── CredentialAccessBuiltin.KQL
├── NetworkSetupProxy.KQL
├── PasswordStores.KQL
├── SQlite3TCC.KQL
├── chainbreaker.kql
├── copytmptousers.kql
├── libraryexecutions.kql
├── osascriptpassword.kql
├── tempexecutions.kql
└── useraddedtolocaladmin
├── Malja3fingerpints
├── Misc&reporting
└── InternetFacingDevices.KQL
├── Persistence
├── ForestBlizzardCustomProtocolHandler.kql
├── ServiceCreation.KQL
├── ServiceCreationIDE.KQL
├── ServiceCreationRATools.KQL
├── SuspiciousRunMRUentries.md
└── WMIEventConsumer.KQL
├── Privilege Escalation
├── CVE-2024-35250.md
├── Getsystem.kql
├── GetsystemelevationCSmetasploit.md
├── PrintspoolerElevation.kql
├── UAC
│ ├── ChangePKSLUITampering.kql
│ ├── Clipup.kql
│ ├── DLLhostUAC.kql
│ └── sdcltUAC.kql
└── applicationshimming.kql
├── README.md
├── RedCanaryReport2024
├── ChromeloaderRegistryValueLargeSizeGeneric.kql
├── PossibleMaliciousBrowserExtensionLoaded.kql
├── SecretsdumpExecution.KQL
├── SmashjackerAppinitDLLmodifcation.KQL
├── Tarfilexecutions.kql
├── WscriptInternetConnection.KQL
└── YellowCockatooPowershellPersistence
├── Sentinel
├── Apt29.kql
├── DeviceLogonEvents
│ └── BurteForceSingleIPmultipledestinationswithin10minutes.md
└── MFA
│ └── MFASuspicious.md
└── WindowsAPIDetections
├── GetAsyncKeyStateApiCallQuery.md
├── NtMapViewOfSectionDetectionRule.md
├── QueueUserApcRemoteApiCallDetectionRule.md
├── Readme.md
└── SetThreadContextRemoteApiCallQuery.md
/ASRDetections/AsrAdobeReaderChildProcessAuditedDetectionRule.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Adobe Reader Child Processes throug ASR
2 |
3 | ## Description
4 | This detection rule identifies child processes spawned by Adobe Reader that have been audited by Advanced Security Rules (ASR). Monitoring for child processes created by Adobe Reader is important because malicious actors can exploit vulnerabilities or use malicious PDFs to launch additional processes, executing malicious payloads. This rule focuses on identifying potentially suspicious activities initiated by Adobe Reader, providing early detection of possible threats.
5 |
6 | This rule helps identify and audit unusual child processes initiated by Adobe Reader, serving as an early warning for potential malicious activities.
7 |
8 | ## Detection Logic
9 | - Monitors `DeviceEvents` for events where:
10 | - The `ActionType` is "AsrAdobeReaderChildProcessAudited".
11 |
12 | ## Tags
13 | - Adobe Reader
14 | - Child Processes
15 | - PDF Security
16 | - Malware
17 | - Advanced Security Rules (ASR)
18 | - Suspicious Activity
19 |
20 | ## Search Query
21 | ```kql
22 | DeviceEvents
23 | | where ActionType == "AsrAdobeReaderChildProcessAudited"
24 | ```
25 |
--------------------------------------------------------------------------------
/ASRDetections/AsrExecutableEmailContentAuditedDetectionRule.md:
--------------------------------------------------------------------------------
1 | # Rule :Detection of Executable Email Content Using AsrExecutableEmailContentAudited ASR rule
2 |
3 | ## Description
4 | This detection rule identifies audited events where executable content in emails is detected, excluding files with a ".js" extension. Monitoring for executable email content is essential to identify potential phishing or malware delivery attempts via email. JavaScript files are common vectors for malicious content, but this rule focuses on other executable files that could indicate an attempt to bypass email security measures.
5 |
6 | This rule monitors for audited actions related to executable content in email attachments, helping to identify potentially malicious files that could compromise the system.
7 |
8 | ## Detection Logic
9 | - Monitors `DeviceEvents` for events where:
10 | - The `ActionType` is "AsrExecutableEmailContentAudited".
11 | - The `FileName` does not end with ".js".
12 |
13 | ## Tags
14 | - Email Security
15 | - Executable Content
16 | - Phishing
17 | - Malware
18 | - Suspicious Activity
19 |
20 | ## Search Query
21 | ```kql
22 | DeviceEvents
23 | | where ActionType == "AsrExecutableEmailContentAudited"
24 | | where FileName !endswith ".js"
25 |
--------------------------------------------------------------------------------
/ASRDetections/AsrLsassCredentialTheftAuditedQuery.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of LSASS Credential Theft Audited
2 |
3 | ## Description
4 | This detection rule identifies audited events where attempts to steal credentials from the Local Security Authority Subsystem Service (LSASS) process are detected. LSASS is a critical process that handles security policy and user authentication. Malicious actors often target LSASS to extract credentials and escalate privileges. This rule focuses on identifying rare instances of processes attempting to access LSASS, as frequent attempts may indicate a targeted attack.
5 |
6 | This rule helps detect and audit suspicious processes interacting with LSASS, providing an early warning for potential credential theft activities.
7 |
8 | - [Detect and Block Credential Dumps with Defender for Endpoint](https://jeffreyappel.nl/detect-and-block-credential-dumps-with-defender-for-endpoint-attack-surface-reduction/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceEvents` for events where:
12 | - The `ActionType` is "AsrLsassCredentialTheftAudited".
13 | - The `Timestamp` is within the last 30 days.
14 | - Summarizes the count of unique devices and rule hits by the `FileName` and `InitiatingProcessFileName`.
15 | - Filters for events where the count of unique devices is less than 3.
16 | - Sorts the results by the count of unique devices in descending order.
17 |
18 | ## Tags
19 | - Credential Theft
20 | - LSASS
21 | - Malware
22 | - Advanced Security Rules (ASR)
23 | - Suspicious Activity
24 |
25 | ## Search Query
26 | ```kql
27 | DeviceEvents
28 | | where ActionType == "AsrLsassCredentialTheftAudited" and Timestamp > ago(30d)
29 | //| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName
30 | | summarize Devicecount=dcount(DeviceName), RuleHits=count() by FileName, InitiatingProcessFileName
31 | | where Devicecount < 3
32 | | sort by Devicecount desc
33 | ```
34 | ## Notes
35 | This is very noisy rule
36 |
--------------------------------------------------------------------------------
/ASRDetections/AsrOfficeChildProcessAuditedQuery.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Office Child Processes Through ASR
2 |
3 | ## Description
4 | This detection rule identifies child processes spawned by Microsoft Office applications that have been audited by Advanced Security Rules (ASR), excluding `onedrive.exe`. Monitoring for child processes created by Office applications is crucial because malicious actors often use Office macros to launch additional processes to execute malicious payloads. By excluding known and trusted processes like OneDrive, this rule focuses on identifying potentially suspicious activities that could compromise the system.
5 |
6 | This rule helps identify and audit unusual child processes initiated by Office applications, providing an early warning for potential malicious activities.
7 |
8 | ## Detection Logic
9 | - Monitors `DeviceEvents` for events where:
10 | - The `ActionType` is "AsrOfficeChildProcessAudited".
11 | - The `FileName` is not "onedrive.exe".
12 |
13 | ## Tags
14 | - Office Security
15 | - Child Processes
16 | - Macro Security
17 | - Malware
18 | - Advanced Security Rules (ASR)
19 | - Suspicious Activity
20 |
21 | ## Search Query
22 | ```kql
23 | DeviceEvents
24 | | where ActionType == "AsrOfficeChildProcessAudited"
25 | | where FileName != "onedrive.exe"
26 | ```
27 |
--------------------------------------------------------------------------------
/ASRDetections/AsrOfficeMacroWin32ApiCallsAuditedDetecitonRule.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Office Macro Win32 API Calls Audited
2 |
3 | ## Description
4 | This detection rule identifies audited events where Office Macros make Win32 API calls. Monitoring for such API calls is crucial because macros can be used to execute malicious code on the system. Malicious actors often exploit Office macros to run unauthorized scripts or binaries by leveraging Win32 API calls, which can lead to system compromise or data exfiltration.
5 |
6 | This rule monitors for audited actions related to Office macros making Win32 API calls, helping to identify potentially malicious macros that could compromise the system.
7 |
8 | ## Detection Logic
9 | - Monitors `DeviceEvents` for events where:
10 | - The `ActionType` is "AsrOfficeMacroWin32ApiCallsAudited".
11 |
12 | ## Tags
13 | - Office Security
14 | - Macro Security
15 | - Win32 API Calls
16 | - Malware
17 | - Suspicious Activity
18 |
19 | ## Search Query
20 | ```kql
21 | DeviceEvents
22 | | where ActionType == "AsrOfficeMacroWin32ApiCallsAudited"
23 | ```
24 | ## Note
25 | Exclude trusted file names as this might get noisy
26 |
--------------------------------------------------------------------------------
/ASRDetections/AsrOfficeProcessInjectionAuditedQuery.md:
--------------------------------------------------------------------------------
1 | ## Rule: Detection of Process Injection from Office apps throug ASR
2 |
3 | ### Description
4 | This query detects events where an office process injection has been audited by the Advanced Security Audit Policy (ASR).
5 |
6 | - [Microsoft documentation on ASR](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings)
7 |
8 | ### Detection Logic
9 | Monitors `DeviceEvents` for occurrences where the `ActionType` is `"AsrOfficeProcessInjectionAudited"`.
10 |
11 | ### Tags
12 | - ASR
13 | - Office
14 | - Process Injection
15 | - Auditing
16 |
17 | ### Search Query
18 | ```kql
19 | DeviceEvents
20 | | where ActionType == "AsrOfficeProcessInjectionAudited"
21 | ```
22 |
--------------------------------------------------------------------------------
/ASRDetections/AsrPsexecWmiChildProcessAuditedQuery.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of PsExec and WMI Child Processes Through ASR
2 |
3 | ## Description
4 | This detection rule identifies child processes created by PsExec and WMI that have been audited or bypassed by Advanced Security Rules (ASR), excluding `shutdown.exe`. Monitoring PsExec and WMI child processes is critical because they are commonly used by attackers to execute commands and scripts remotely. These tools are often leveraged for lateral movement and executing malicious payloads on target systems.
5 |
6 | This rule helps identify suspicious activity involving PsExec and WMI, excluding legitimate use cases such as system shutdown operations.
7 |
8 | ## Detection Logic
9 | - Monitors `DeviceEvents` for events where:
10 | - The `ActionType` starts with "AsrPsexecWmiChildProcessAudited" or "AsrPsexecWmiChildProcessWarnBypassed".
11 | - The `FileName` is not "shutdown.exe".
12 |
13 | ## Tags
14 | - PsExec
15 | - WMI
16 | - Remote Execution
17 | - Lateral Movement
18 | - Advanced Security Rules (ASR)
19 | - Suspicious Activity
20 |
21 | ## Search Query
22 | ```kql
23 | DeviceEvents
24 | | where ActionType startswith "AsrPsexecWmiChildProcessAudited" or ActionType startswith "AsrPsexecWmiChildProcessWarnBypassed"
25 | | where FileName != "shutdown.exe"
26 | ```
27 | # Notes
28 |
--------------------------------------------------------------------------------
/ASRDetections/AsrUntrustedExecutableAuditedQuery.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Untrusted Executables in User Folders
2 |
3 | ## Description
4 | This detection rule identifies untrusted executables within user directories that have been audited by Advanced Security Rules (ASR). Monitoring for untrusted executables is crucial because they can indicate the presence of malware or unauthorized software introduced into the system by malicious actors. This rule helps identify newly observed, globally rare executables within user folders that might have been introduced through various attack vectors.
5 |
6 | This rule monitors for audited actions related to untrusted executables in user directories, focusing on files that are new and have low global prevalence.
7 |
8 | ## Detection Logic
9 | - Monitors `DeviceEvents` for events where:
10 | - The `ActionType` is "AsrUntrustedExecutableAudited".
11 | - The `FolderPath` contains "users".
12 | - The file has been seen globally within the last 3 days and has a global prevalence of less than or equal to 1.
13 |
14 | ## Tags
15 | - Untrusted Executables
16 | - User Directories
17 | - Malware
18 | - Suspicious Activity
19 | - Advanced Security Rules (ASR)
20 |
21 | ## Search Query
22 | ```kql
23 | DeviceEvents
24 | | where FolderPath contains "users" and ActionType == "AsrUntrustedExecutableAudited"
25 | | project Timestamp, ReportId, DeviceId, ProcessCommandLine, FileName, FolderPath, InitiatingProcessSHA1, InitiatingProcessFileName, SHA1
26 | | invoke FileProfile("SHA1")
27 | | where GlobalFirstSeen > ago(3d) and GlobalPrevalence <= 1
28 | ```
29 | ## Notes
30 | This needs a bit of fine tunning to be enabled as a detection rule
31 |
--------------------------------------------------------------------------------
/ASRDetections/AsrUntrustedUsbProcessAuditedDetectionRule.md:
--------------------------------------------------------------------------------
1 | ## Rule: Detection of untrusted processe running for USB by ASR
2 |
3 | ### Description
4 | This query detects events where an untrusted USB process has been audited by the Advanced Security Audit Policy (ASR).
5 |
6 | - [Microsoft documentation on ASR](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings)
7 |
8 | ### Detection Logic
9 | Monitors `DeviceEvents` for occurrences where the `ActionType` is `"AsrUntrustedUsbProcessAudited"`.
10 |
11 | ### Tags
12 | - ASR
13 | - USB
14 | - Auditing
15 |
16 | ### Search Query
17 | ```kql
18 | DeviceEvents
19 | | where ActionType == "AsrUntrustedUsbProcessAudited"
20 | ```
21 |
--------------------------------------------------------------------------------
/ASRDetections/AsrVulnerableSignedDriverAuditedQuery.md:
--------------------------------------------------------------------------------
1 | ## Rule: Detect loading for Vulnerable devices using ASR
2 |
3 | ### Description
4 | This query detects events where a vulnerable signed driver has been audited by the Advanced Security Audit Policy (ASR), excluding specific processes such as "HP Touchpoint Analytics Client" and "ASUSTeK Computer Inc.".
5 |
6 | - [Microsoft documentation on ASR](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings)
7 |
8 | ### Detection Logic
9 | Monitors `DeviceEvents` for occurrences where:
10 | - `ActionType` is `"AsrVulnerableSignedDriverAudited"`
11 | - Excludes entries where `InitiatingProcessVersionInfoFileDescription` is `"HP Touchpoint Analytics Client"`
12 | - Excludes entries where `InitiatingProcessVersionInfoCompanyName` is `"ASUSTeK Computer Inc."`
13 |
14 | ### Tags
15 | - ASR
16 | - Driver Security
17 | - Auditing
18 |
19 | ### Search Query
20 | ```kql
21 | DeviceEvents
22 | | where ActionType == "AsrVulnerableSignedDriverAudited"
23 | | where InitiatingProcessVersionInfoFileDescription != "HP Touchpoint Analytics Client"
24 | | where InitiatingProcessVersionInfoCompanyName != "ASUSTeK Computer Inc."
25 |
--------------------------------------------------------------------------------
/ASRDetections/AsrWebShellOnServerAuditedQuery.md:
--------------------------------------------------------------------------------
1 | ## Rule : Web shell Detection on exchange servers with ASR
2 |
3 | ### Description
4 | This query detects events where a web shell on a server has been audited by the Advanced Security Audit Policy (ASR). Web shells are malicious scripts that enable remote administration on web servers, often used by attackers for persistent access and to execute arbitrary commands.
5 |
6 | - [Microsoft documentation on ASR](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings)
7 |
8 | ### Detection Logic
9 | Monitors `DeviceEvents` for occurrences where the `ActionType` is `'AsrWebShellOnServerAudited'`.
10 |
11 | ### Tags
12 | - ASR
13 | - Web Shell
14 | - Server Security
15 | - Auditing
16 |
17 | ### Search Query
18 | ```kql
19 | DeviceEvents
20 | | where ActionType == 'AsrWebShellOnServerAudited'
21 | ```
22 |
--------------------------------------------------------------------------------
/ASRDetections/Readme.md:
--------------------------------------------------------------------------------
1 | # What does ASR rules offer
2 | ASR rules offer a broad range of built-in rules to secure your endpoint, covering areas like Office applications (think macros, DDE’s, etc.) subversion or leverage, but also things like Webmail, script, WMI, LSASS, and much more.
3 | ## To implement ASR rules following is Required:
4 | - Computers running Windows 10, versions 1709 and later, Windows Server version 1803 (Semi-Annual Channel or later) and Windows Server 2019
5 | - Windows 10 Pro/Enterprise/Education
6 | - Microsoft Defender antivirus must be active (cannot be in passive mode!)
7 | - Some rules require cloud-delivered protection to be enabled
8 | References https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420
9 |
10 |
11 |
12 | # ASR rule name to ASR guid
13 | | GUID | ASR rule name |
14 | |--------------------------------------|-----------------------------------------------------------------------------------------------------|
15 | | 56A863A9-875E-4185-98A7-B882C64B5CE5 | Block abuse of exploited vulnerable signed drivers |
16 | | 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C | Block Adobe Reader from creating child processes |
17 | | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Block all Office applications from creating child processes |
18 | | 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 | Block credential stealing from the Windows local security authority subsystem (lsass.exe) |
19 | | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Block executable content from email client and webmail |
20 | | 01443614-CD74-433A-B99E-2ECDC07BFC25 | Block executable files from running unless they meet a prevalence - age - or trusted list criterion |
21 | | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Block execution of potentially obfuscated scripts |
22 | | D3E037E1-3EB8-44C8-A917-57927947596D | Block JavaScript or VBScript from launching downloaded executable content |
23 | | 3B576869-A4EC-4529-8536-B80A7769E899 | Block Office applications from creating executable content |
24 | | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Block Office applications from injecting code into other processes |
25 | | 26190899-1602-49E8-8B27-EB1D0A1CE869 | Block Office communication application from creating child processes |
26 | | E6DB77E5-3DF2-4CF1-B95A-636979351E5B | Block persistence through WMI event subscription |
27 | | D1E49AAC-8F56-4280-B9BA-993A6D77406C | Block process creations originating from PSExec and WMI commands |
28 | | B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 | Block untrusted and unsigned processes that run from USB |
29 | | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Block Win32 API calls from Office macros |
30 | | C1DB55AB-C21A-4637-BB3F-A12568109D35 | Use advanced protection against ransomware |
31 | | A8F5898E-1DC8-49A9-9878-85004B8A61E6 | Block Webshell creation for Servers |
32 |
33 | # Implement ASR Rules
34 | Consult online documentation on deploying ASR Rules in audit mode to your network through Group policy or SCCM/Intune. a lot of work is required to move some of the rules to block mode
35 | to add exclusion this blog post here helps
36 | https://blog.nathanmcnulty.com/defender-for-endpoint-implementing-asr-rules/
37 | - To be added exclusion list
38 | # Get the list of the availalbe ASR rule actiontypes
39 | ```
40 | DeviceEvents
41 | | where ActionType startswith 'Asr'
42 | ```
43 |
44 | # References
45 | - https://asrgen.streamlit.app/ASR_Atomic_Testing
46 |
47 |
--------------------------------------------------------------------------------
/C2/C2IntelFeedsIPs.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceNetworkEvents
5 | | where RemoteIPType == "Public"
6 | | where RemoteIP in ((externaldata(IP: string ) [@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"]
7 | with (format=csv, ignoreFirstRecord=true) | distinct IP
8 | ))
9 | | where InitiatingProcessFileName !in ("Google Chrome Helper","chrome.exe","firefox.exe","msedge.exe","opera.exe")
10 |
11 | References:
12 |
--------------------------------------------------------------------------------
/C2/C2IntelFeedsdomain.KQL:
--------------------------------------------------------------------------------
1 | DeviceNetworkEvents
2 | | where RemoteIPType == "Public"
3 | | where InitiatingProcessVersionInfoProductName !in ("Sophos Anti-Virus","Google Chrome","Microsoft Edge","Firefox")
4 | | where RemoteUrl has_any ((externaldata(domain: string, ioc: string) [@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/domainC2s-30day.csv"]
5 | with (format=csv, ignoreFirstRecord=true) | where ioc contains_cs "C2 Domain" | distinct domain))
6 |
--------------------------------------------------------------------------------
/C2/CSSacricialProcesses.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 |
5 | DeviceProcessEvents
6 | | where FileName has_any ("rundll32.exe","werfault.exe", "searchprotocolhost.exe", "gpupdate.exe", "regsvr32.exe", "svchost.exe", "msiexec.exe")
7 | | where ProcessCommandLine matches regex "^$"
8 |
9 |
10 | References:
11 |
12 |
--------------------------------------------------------------------------------
/C2/CertReq.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where (FileName contains "CertReq.exe" or ProcessVersionInfoInternalFileName contains "CertReq.exe") and ProcessCommandLine contains "Post"
6 | References:
7 |
8 |
--------------------------------------------------------------------------------
/C2/CloudflaredArgoTunnelDNS.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Cloudflared Argo Tunnel Communication
2 |
3 | ## Description
4 | This detection rule identifies network communication to **Cloudflared Argo Tunnel services**, specifically targeting `trycloudflare` and `argotunnel.com` domains. Cloudflared is a legitimate tool used to securely tunnel traffic through Cloudflare's network, often for web applications and remote access. However, adversaries can **abuse Argo Tunnels to bypass network security controls**, establish covert communication channels, and exfiltrate data without detection.
5 |
6 | This rule helps detect potential misuse of Cloudflared tunneling services by monitoring outbound DNS queries to `trycloudflare` and `argotunnel.com`.
7 |
8 | - [Sigma Rule: DNS Query for Cloudflared Communication](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceNetworkEvents` for DNS queries or network requests where:
12 | - The `RemoteUrl` contains `"trycloudflare"` or `"argotunnel.com"`.
13 |
14 | ## Tags
15 | - Cloudflare Argo Tunneling
16 | - DNS Query Monitoring
17 | - Suspicious Network Traffic
18 | - Covert Communication
19 | - Data Exfiltration
20 |
21 | ## Search Query
22 | ```kql
23 | DeviceNetworkEvents
24 | | where RemoteUrl has_any ("trycloudflare", "argotunnel.com")
25 | ```
26 |
--------------------------------------------------------------------------------
/C2/FreeSSL.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceNetworkEvents
5 | | where RemoteUrl has_any ("letsencrypt.org", "sslforfree.com", "zerossl.com", "freessl.org")
6 | | where InitiatingProcessFolderPath !startswith @"c:\program files" | where InitiatingProcessParentFileName != @"SenseIR.exe" and InitiatingProcessVersionInfoProductName != @"Windows ACME Simple (WACS)"
7 | References:
8 |
--------------------------------------------------------------------------------
/C2/GoSimpleTunnel.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where ProcessCommandLine matches regex "\\-(?i)[f,l]\\=.*:\\/\\/"
6 |
7 | References:
8 | https://github.com/ginuerzh/gost
9 |
--------------------------------------------------------------------------------
/C2/GoogleSheetsC2Query.md:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Suspicious Non-Browser Access to Google APIs by Rare Processes on Windows
2 |
3 | ## Description
4 | This detection rule identifies suspicious network connections to key Google API endpoints—such as `drive.googleapis.com`, `oauth2.googleapis.com`, `sheets.googleapis.com`, and `www.googleapis.com`—that are initiated by processes other than standard web browsers or legitimate Google Drive File Stream (`googledrivefs.exe`). Attackers may use custom or rarely seen processes to interact with these endpoints for data exfiltration, command and control, or other malicious activities.
5 |
6 | To enhance detection accuracy, the rule invokes file profiling on the initiating process using its SHA1 hash and flags events where the process has a low global prevalence (less than 100). The rule also ensures that the detected activity originates from Windows devices by joining with the `DeviceInfo` table.
7 |
8 | ## Detection Logic
9 | - **Google API Endpoints:**
10 | Monitor network events where the `RemoteUrl` contains any of the following:
11 | - `drive.googleapis.com`
12 | - `oauth2.googleapis.com`
13 | - `sheets.googleapis.com`
14 | - `www.googleapis.com`
15 |
16 | - **Non-Browser Filter:**
17 | Exclude events where the initiating process is one of the common web browsers or the legitimate Google Drive File Stream:
18 | - `"chrome.exe"`, `"firefox.exe"`, `"msedge.exe"`, `"edge.exe"`, `"googledrivefs.exe"`
19 |
20 | - **Rare Process Check:**
21 | Use file profiling (based on `InitiatingProcessSHA1`) to flag processes with a global prevalence of less than 100.
22 |
23 | - **Windows Platform Verification:**
24 | Join with the `DeviceInfo` table to ensure the event originates from a Windows client (where `OSPlatform` contains "windows").
25 |
26 | ## Tags
27 | - Network Connection
28 | - Google API
29 | - Non-Browser Access
30 | - Rare Process
31 | - Data Exfiltration
32 | - Windows Security
33 | - Suspicious Activity
34 |
35 | ## Search Query
36 | ```kql
37 | DeviceNetworkEvents
38 | | where RemoteUrl has_any( @"drive.googleapis.com", @"oauth2.googleapis.com", "sheets.googleapis.com", "www.googleapis.com")
39 | | where InitiatingProcessFileName !in ("chrome.exe", "firefox.exe", "msedge.exe", "edge.exe", "googledrivefs.exe")
40 | | invoke FileProfile(InitiatingProcessSHA1)
41 | | where GlobalPrevalence < 100
42 | | join kind=inner (
43 | DeviceInfo
44 | | project DeviceId, OSPlatform
45 | ) on DeviceId
46 | | where OSPlatform contains "windows"
47 | ```
48 | ## Notes
49 | This might be generating false positive and the query needs fine tunning from you
50 |
--------------------------------------------------------------------------------
/C2/MaliciousJA3Fingerprint.kql:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Detection of Malicious JA3 Fingerprints in SSL Connections
2 |
3 | ## Description
4 | This detection rule identifies SSL connections inspected by Microsoft Defender for Endpoint (MDE) that match known malicious JA3 fingerprints. JA3 fingerprints are used to identify SSL/TLS clients based on their SSL/TLS handshake. Monitoring for these fingerprints can help detect potentially malicious activity, such as command and control (C2) communications.
5 |
6 | ## Detection Logic
7 | - Monitors `DeviceNetworkEvents` for events where the `ActionType` contains "SslConnectionInspected".
8 | - Parses the `AdditionalFields` column as JSON to extract the `ja3` fingerprint.
9 | - Compares the extracted `ja3` fingerprint against a list of known malicious JA3 fingerprints sourced from an external dataset.
10 |
11 | ## Tags
12 | - Network Monitoring
13 | - SSL/TLS Inspection
14 | - JA3 Fingerprinting
15 | - Malicious Activity
16 | - Command and Control (C2)
17 | - Suspicious Activity
18 |
19 | ## Search Query
20 | ```kql
21 | DeviceNetworkEvents
22 | | where ActionType contains "SslConnectionInspected"
23 | | extend parsed = parse_json(AdditionalFields)
24 | | where parsed.ja3 in (externaldata(Ja3Hash: string) [@"https://raw.githubusercontent.com/0xAnalyst/DefenderATPQueries/main/Malja3fingerpints"])
25 |
26 |
27 | # filter noise by removing internal IPs and internal domain certificates by parsed.subject or remvoe private IPs by where not (ipv4_is_private(RemoteIP))
28 |
--------------------------------------------------------------------------------
/C2/PlinkTunnelingForwarding.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where ProcessCommandLine contains "*:" and ProcessCommandLine has_any("-L","-P", "-R", "-pw", "-ssh")| where InitiatingProcessFolderPath != @"/bin/bash" and FolderPath != @"/bin/bash"
6 |
7 | References:
8 |
9 |
--------------------------------------------------------------------------------
/C2/PowerShellPossibleC2Connection.md:
--------------------------------------------------------------------------------
1 | # Rule : Suspicious PowerShell Web Requests
2 |
3 | ## Description
4 | This detection rule is designed to identify PowerShell commands associated with downloading or transferring data from a system, often used by attackers during data exfiltration or for malicious downloads. Malicious actors use web request utilities such as `Invoke-WebRequest`, `iwr`, `wget`, `curl`, `Net.WebClient`, and `Start-BitsTransfer` within PowerShell to interact with remote resources, posing a significant threat to system security.
5 |
6 | Detecting these commands helps flag potential data exfiltration attempts or unauthorized file transfers that could indicate malicious activity or compromise.
7 | Sigma Rule: Suspicious Data Exfiltration via CLI https://github.com/SigmaHQ/sigma/blob/35a5eb9a4cb6f9c7a25277617806471d9999b255/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml
8 |
9 | ## Detection Logic
10 | - Filters `DeviceEvents` where the `ActionType` contains `"PowerShellCommand"`.
11 | - Parses the `AdditionalFields` to analyze the PowerShell command executed.
12 | - Matches the PowerShell command against suspicious web request utilities such as:
13 | - `Invoke-WebRequest` (iwr)
14 | - `wget`
15 | - `curl`
16 | - `Net.WebClient`
17 | - `Start-BitsTransfer`
18 |
19 | These commands are often used to download or upload files, and their presence in command-line executions is suspicious in many scenarios, especially outside of standard administrative use.
20 |
21 | ## Tags
22 | - PowerShell
23 | - Data Exfiltration
24 | - Malicious Downloads
25 | - Suspicious Command Execution
26 |
27 | ## Search Query
28 | ```kql
29 | DeviceEvents
30 | | where ActionType contains "PowerShellCommand"
31 | | extend parsed = parse_json(AdditionalFields)
32 | | where parsed.Command matches regex @"\b(Invoke-WebRequest|iwr|wget|curl|Net\.WebClient|Start-BitsTransfer)\b"
33 |
--------------------------------------------------------------------------------
/C2/SliverPSexec.kql:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Registry Value Set for Sliver Implant Psexec execution
2 |
3 | ## Description
4 | Detects registry value sets associated with the Sliver implant.
5 | https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
6 |
7 | ## Detection Logic
8 | - Filters `DeviceRegistryEvents` for actions where a registry value is set (`RegistryValueSet`).
9 | - Looks for specific registry value name and data combinations:
10 | - `DisplayName` with value `Sliver`.
11 | - `Description` with value `Sliver implant`.
12 |
13 | ## Tags
14 | - Persistence
15 | - Command and Control
16 |
17 | ## Search Query
18 | ```kql
19 | DeviceRegistryEvents
20 | | where ActionType == 'RegistryValueSet'
21 | | where (RegistryValueName == 'DisplayName' and RegistryValueData == 'Sliver')
22 | or (RegistryValueName == 'Description' and RegistryValueData == 'Sliver implant')
23 |
--------------------------------------------------------------------------------
/C2/SuspiciousNSLookup.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where FileName contains "nslookup" and ProcessCommandLine has_any ("-querytype", "qt", "q", "-type=*")
6 | Refernces:
7 |
--------------------------------------------------------------------------------
/C2/Telegraminfostealers.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceNetworkEvents
5 | | where RemoteUrl contains "api.telegram.org"
6 | | where InitiatingProcessFileName !in ("chrome.exe","Telegram.exe","firefox.exe","msedge.exe","slack.exe","OUTLOOK.EXE","brave.exe","Postman.exe")
7 | | where InitiatingProcessVersionInfoFileDescription != @"Opera Internet Browser"
8 | | where InitiatingProcessFileName != @"Google Chrome Helper"
9 | | where InitiatingProcessFileName != @"Opera Helper"
10 | | where InitiatingProcessFileName != @"com.apple.WebKit.Networking"
11 |
12 | Rferences:
13 |
--------------------------------------------------------------------------------
/C2/devtunnel/DevTunnelFileEvents.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Suspicious File Events Involving DevTunnels
2 |
3 | ## Description
4 | This detection rule monitors for suspicious file operations involving folders named "DevTunnels." DevTunnels are a feature used in Visual Studio for creating secure tunnels for remote connections, commonly utilized for remote debugging or development. Any unusual file activities within this folder could signal potential misuse or unauthorized operations by malicious actors attempting to establish or maintain persistence on the system.
5 |
6 | This rule specifically excludes known legitimate software, such as Dell Display Manager 2, from triggering false positives. Monitoring DevTunnels for unexpected file activity can help detect potential threat actors utilizing this feature for lateral movement or remote access.
7 |
8 | - [Related SigmaHQ Rule for DevTunnels Monitoring](https://github.com/SigmaHQ/sigma/blob/ab2fb3642611988012a1ee79b056e2f3068059aa/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceFileEvents` for events where:
12 | - The `FolderPath` contains "DevTunnels", and
13 | - Excludes legitimate software such as Dell Display Manager 2.
14 |
15 | ## Tags
16 | - File Events
17 | - DevTunnels Monitoring
18 | - Suspicious File Access
19 | - Visual Studio Security
20 | - Threat Detection
21 |
22 | ## Search Query
23 | ```kql
24 | DeviceFileEvents
25 | | where FolderPath has "DevTunnels"
26 | //exclude Dell Display Manager | where InitiatingProcessFileName != "DellDisplayManager.exe"
27 | ```
28 |
--------------------------------------------------------------------------------
/C2/devtunnel/DevTunnelnetworkdetection.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Suspicious Visual Studio DevTunnels Communication
2 |
3 | ## Description
4 | This detection rule monitors network communications involving suspicious connections to Visual Studio DevTunnels APIs, specifically to domains ending with `tunnels.api.visualstudio.com` or `devtunnels.ms`. DevTunnels is a feature used for secure remote connections and debugging in Visual Studio. However, misuse of this service by malicious actors can lead to unauthorized remote access or data exfiltration.
5 |
6 | This rule flags potentially suspicious traffic by excluding legitimate processes such as `ServiceHub.Host.dotnet.x64.dll` or `ServiceHub.Host.dotnet.arm64` from Visual Studio's internal services. Monitoring for unusual process interactions with these URLs can help identify potential misuse or lateral movement in a network.
7 |
8 | - [SigmaHQ Rule for DevTunnels Communication](https://github.com/SigmaHQ/sigma/blob/ab2fb3642611988012a1ee79b056e2f3068059aa/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceNetworkEvents` for events where:
12 | - The `RemoteUrl` ends with `tunnels.api.visualstudio.com` or `devtunnels.ms`, and
13 | - The initiating process is not associated with legitimate Visual Studio processes, such as `ServiceHub.Host.dotnet.x64.dll` or `ServiceHub.Host.dotnet.arm64`.
14 |
15 | ## Tags
16 | - DevTunnels Monitoring
17 | - Suspicious Network Traffic
18 | - Visual Studio Security
19 | - Remote Access Detection
20 | - Threat Detection
21 |
22 | ## Search Query
23 | ```kql
24 | DeviceNetworkEvents
25 | | where RemoteUrl endswith "tunnels.api.visualstudio.com" or RemoteUrl endswith "devtunnels.ms"
26 | | where InitiatingProcessVersionInfoOriginalFileName != @"ServiceHub.Host.dotnet.x64.dll"
27 | | where InitiatingProcessVersionInfoFileDescription != @"ServiceHub.Host.dotnet.arm64"
28 | ```
29 |
--------------------------------------------------------------------------------
/C2/devtunnel/DevtunnelRegistry.md:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Devtunnel Detection through Registry Modifications Involving `InProcServer32` and MSAL Runtime
2 |
3 | ## Description
4 | This detection rule identifies suspicious modifications to the `InProcServer32` registry key where the registry value data contains "msalruntime." Modifying this registry key can be an indication of persistence or DLL injection attacks. The `InProcServer32` key is commonly associated with Component Object Model (COM) hijacking, where adversaries attempt to load malicious DLLs through legitimate processes.
5 |
6 | This rule is important for monitoring persistence techniques where the MSAL (Microsoft Authentication Library) runtime may be abused to perform unauthorized code execution or maintain persistent access to a compromised machine. By leveraging COM hijacking, threat actors can inject malicious code into trusted processes, effectively evading detection.
7 |
8 | - [SigmaHQ Rule for DevTunnels Communication](https://github.com/SigmaHQ/sigma/blob/ab2fb3642611988012a1ee79b056e2f3068059aa/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml)
9 | - [MITRE ATT&CK - T1547.001: Registry Run Keys/Startup Folder](https://attack.mitre.org/techniques/T1547/001/)
10 | - [MSAL Documentation - Microsoft Authentication Library](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview)
11 |
12 | ## Detection Logic
13 | - Monitors `DeviceRegistryEvents` where:
14 | - The `RegistryKey` contains "inprocserver32", and
15 | - The `RegistryValueData` contains "msalruntime."
16 |
17 | ## Tags
18 | - Registry Events
19 | - COM Hijacking
20 | - Persistence Mechanisms
21 | - Windows Registry Monitoring
22 | - Malicious DLL Injection
23 | - MSAL Runtime Abuse
24 |
25 | ## Search Query
26 | ```kql
27 | DeviceRegistryEvents
28 | | where RegistryKey contains "inprocserver32"
29 | | where RegistryValueData contains "msalruntime"
30 | ```
31 |
--------------------------------------------------------------------------------
/C2/devtunnel/Devtunnelcodetunneling.md:
--------------------------------------------------------------------------------
1 | # Rule : Visual Studio Code Tunnel Abuse Detection
2 |
3 | ## Description
4 | This detection rule identifies suspicious use of the "tunnel" feature within Visual Studio Code (VSCode) that could indicate malicious activity or abuse. Attackers may leverage VSCode's tunnel functionality to establish unauthorized connections and bypass network restrictions. The rule monitors for command lines associated with tunnel creation, host setup, and allowing anonymous access. Malicious actors can exploit these functionalities to exfiltrate data or maintain persistence in a network.
5 |
6 | This method has been observed in espionage campaigns such as **Stately Taurus**, which targeted organizations in Southeast Asia, highlighting the growing abuse of legitimate tools like VSCode in advanced attacks.
7 |
8 | - [Stately Taurus Campaign by Unit42](https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceProcessEvents` where:
12 | - The `ProcessVersionInfoProductName` is "Visual Studio Code" and the `ProcessCommandLine` contains "tunnel".
13 | - The `ProcessCommandLine` includes:
14 | - "host" and "allow-anonymous"
15 | - "port" and "create" with a `-p` flag for specifying ports
16 |
17 | ## Tags
18 | - Process Execution
19 | - Tunneling
20 | - DevTunnels
21 | - Visual Studio Code
22 | - Espionage
23 |
24 | ## Search Query
25 | ```kql
26 | DeviceProcessEvents
27 | | where (ProcessVersionInfoProductName == @"Visual Studio Code" and ProcessCommandLine contains "tunnel" )
28 | or ProcessCommandLine has_all ("host", "allow-anonymous")
29 | or ProcessCommandLine has_all ("port", "create", "-p")
30 | ```
31 |
--------------------------------------------------------------------------------
/Collection/AdfindDetection.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of ADFind Command Usage
2 |
3 | ## Description
4 | This detection rule identifies suspicious use of `ADFind`, a command-line Active Directory query tool commonly leveraged by attackers for reconnaissance. Adversaries may use ADFind to extract valuable Active Directory data, such as domain information, user and group lists, or trust relationships. Monitoring for specific patterns in process command lines can help detect unauthorized ADFind activities and provide early warning of potential lateral movement or privilege escalation attempts.
5 |
6 | This rule monitors for the execution of ADFind commands, especially those containing sensitive keywords such as `"objectcategory"`, `"domainlist"`, `"adinfo"`, `"trustdmp"`, and others that indicate potential misuse for domain enumeration or privilege escalation.
7 |
8 | - [Elastic Security: AdFind Command Activity](https://www.elastic.co/guide/en/security/current/adfind-command-activity.html)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceProcessEvents` for events where:
12 | - The `ProcessCommandLine` contains keywords related to ADFind command usage.
13 | - The `ProcessCommandLine` matches a regular expression pattern indicating piping or redirection, which may suggest an attempt to manipulate or exfiltrate the gathered data.
14 |
15 | ## Tags
16 | - Active Directory Reconnaissance
17 | - ADFind
18 | - Domain Enumeration
19 | - Lateral Movement
20 | - Suspicious Command-Line Activity
21 | - Threat Detection
22 |
23 | ## Search Query
24 | ```kql
25 | let commandline = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=*"]);
26 | DeviceProcessEvents
27 | | where ProcessCommandLine has_any (commandline)
28 | | where ProcessCommandLine matches regex "(.*)>(.*)"
29 | ```
30 |
--------------------------------------------------------------------------------
/Collection/BloodHoundGeneratedfiles.kql:
--------------------------------------------------------------------------------
1 |
2 | name: Collection, Indicators of bloodhound usage within the environment
3 | description: Detects file dropped by BloodHound/SharpHound that contains AD information
4 | references: https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
5 | tags: Collection, t1087.001
6 | search_query:
7 | (DeviceFileEvents
8 | | where FileName contains "users.json" or FileName contains "*computers.json" or FileName contains "*groups.json" or FileName contains "*ous.json" or FileName contains "*domains.json" or FileName contains "bloodhound" or FileName contains "gpos.json" | where FileName != @"bloodhound.js"| where FileName != @"bloodhoundDropdown.js"
9 | )
10 | Notes:
11 |
--------------------------------------------------------------------------------
/Collection/PowerShellKeyLogging.kql:
--------------------------------------------------------------------------------
1 | name: Collection, Indicators of Keylogging through powershell
2 | description: Powershell might be used to intercept user's type keystrokes
3 | references: https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_keylogging/
4 | tags: Collection, T1056.001
5 | search_query:
6 | (DeviceEvents
7 | | where ActionType contains "PowerShellCommand"
8 | | extend parsed = parse_json(AdditionalFields)
9 | | where parsed.Command contains "GetAsyncKeyState" or parsed.Command contains "NtUserGetAsyncKeyState" or parsed.Command contains "GetKeyboardState" or parsed.Command contains "Get-Keystrokes" or parsed.Command contains"SetWindowsHook" or parsed.Command contains "NtUserSetWindowsHook"
10 | or parsed.Command contains "GetWindowText" or parsed.Command contains "GetForegroundWindow"
11 | | where InitiatingProcessParentFileName !in ("MicrosoftDependencyAgent.exe","slack.exe","MonitoringHost.exe","Slack.exe")
12 | | where InitiatingProcessVersionInfoProductName != @"Microsoft Monitoring Agent"
13 | )
14 | Notes:
15 |
16 |
--------------------------------------------------------------------------------
/Collection/WinrarEncryption.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where ((FileName == @"rar.exe" or ProcessVersionInfoInternalFileName == @"WinRAR" ) and ProcessCommandLine has_any ("-hp*", "-p*", "-dw", "-tb", "-ta", "/hp*", "/p*", "/dw", "/tb", "/ta")) or (FileName in("7z.exe", "7za.exe") and ProcessCommandLine has_any("-p*", "-sdel") )
6 |
7 | References:
8 |
--------------------------------------------------------------------------------
/Credential Access/Msbuild.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | DeviceProcessEvents
4 | | where ProcessVersionInfoInternalFileName contains "msbuild.exe"
5 | | where InitiatingProcessFileName != @"devenv.exe" and InitiatingProcessVersionInfoInternalFileName != "MSBuild.exe"
6 |
7 | References:
8 |
--------------------------------------------------------------------------------
/Credential Access/NTDSDump.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceFileEvents
5 | | where (InitiatingProcessFileName has_any ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and InitiatingProcessCommandLine has_any("copy", "xcopy", "Copy-Item", "move", "cp", "mv")) or InitiatingProcessFileName contains "esentutl.exe"
6 | | where InitiatingProcessCommandLine has_any("ntds.dit", "SAM", "HarddiskVolumeShadowCopy", "system32/config/SAM")
7 | | where InitiatingProcessParentFileName != @"SenseIR.exe"
8 |
9 |
10 |
--------------------------------------------------------------------------------
/Credential Access/RegSamDumping.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query
3 | DeviceProcessEvents
4 | | where ProcessVersionInfoFileDescription == @"Registry Console Tool"
5 | | where ProcessCommandLine contains "save" or ProcessCommandLine contains "export"
6 | | where ProcessCommandLine has_any ("sam","security","system")
7 | References
8 |
--------------------------------------------------------------------------------
/Credential Access/SBMNTLM.kql:
--------------------------------------------------------------------------------
1 | name: Credential Access, NTLM stealing Over SMB
2 | description: Outgoing Traffic to the internet which might indicate NTLM stealing
3 | references:
4 | tags: Credential Access,
5 | search_query:
6 | (DeviceNetworkEvents
7 | | where ActionType == @"ConnectionSuccess"
8 | | where (RemotePort==445 or RemotePort == 135)and RemoteIPType == @"Public" and InitiatingProcessVersionInfoCompanyName != @"VMware, Inc." and RemoteUrl !contains "google"
9 | )
10 | Notes:
11 |
--------------------------------------------------------------------------------
/Defense Evasion/ADSRootProcessCreation.kql:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)
2 |
3 | ## Description
4 | Detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives.
5 | https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/
6 | https://github.com/elastic/detection-rules/blob/6150f222b2ce2a26e0874e96ab31479b1e4283a4/rules/windows/defense_evasion_root_dir_ads_creation.toml
7 |
8 | ## Detection Logic
9 | - Filters `DeviceProcessEvents` for events related
10 | - Specifically looks for events where the ProcessCommandLine matches of ADS process
11 |
12 | ## Tags
13 | - Defense Evasion
14 |
15 | ## Search Query
16 | ```kql
17 | DeviceProcessEvents
18 | | where ProcessCommandLine matches regex @"(?i)^[A-Z]:\\:.+"
19 |
--------------------------------------------------------------------------------
/Defense Evasion/ADSrootDirectoryFileCreation.kql:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)
2 |
3 | ## Description
4 | Detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives.
5 | https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/
6 | https://github.com/elastic/detection-rules/blob/6150f222b2ce2a26e0874e96ab31479b1e4283a4/rules/windows/defense_evasion_root_dir_ads_creation.toml
7 |
8 | ## Detection Logic
9 | - Filters `DeviceFileEvents` for events related to file creation.
10 | - Specifically looks for events where the folder path matches the pattern of a root directory on a Windows drive and contains a colon (`:`) followed by a dollar sign (`$`) to indicate an ADS creation attempt.
11 |
12 | ## Tags
13 | - Defense Evasion
14 |
15 | ## Search Query
16 | ```kql
17 | DeviceFileEvents
18 | | where ActionType == "FileCreated"
19 | | where FolderPath matches regex @"(?i)^[A-Z]:\\:.+"
20 |
--------------------------------------------------------------------------------
/Defense Evasion/CoralRaiderMSHTAPowershell.KQL:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Defense Evasion - PowerShell CoralRaider PSChildName MSHTA Execution (Windows)
2 |
3 | ## Description
4 | Detects the usage of PowerShell with the `PSChildName` command, which may indicate suspicious activity or attempts at defense evasion. This technique has been observed in the activity of suspected CoralRaider, which uses various information stealers as detailed in the article.
5 | - [Talos Intelligence Blog on CoralRaider](https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/)
6 |
7 | ## Detection Logic
8 | - Filters `DeviceProcessEvents` for events where the original file name is `PowerShell.EXE`.
9 | - Specifically looks for instances where the `ProcessCommandLine` contains the string `PSChildName`.
10 |
11 | ## Tags
12 | - Defense Evasion
13 |
14 | ## Search Query
15 | ```kql
16 | DeviceProcessEvents
17 | | where ProcessVersionInfoOriginalFileName == @"PowerShell.EXE"
18 | | where ProcessCommandLine contains "PSChildName"
19 |
20 | - Another query from device events which does the same
21 | DeviceEvents
22 | | where ActionType == @"PowerShellCommand" | where InitiatingProcessCommandLine contains "PSChildName"
23 |
24 | ## Notes
25 | "gp -pa" can also be used to hunt for the same
26 |
--------------------------------------------------------------------------------
/Defense Evasion/DefenderExclusion.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | DeviceRegistryEvents
4 | | where RegistryKey contains @"windows defender\exclusions" and InitiatingProcessCommandLine != @"svchost.exe -k GPSvcGroup" and InitiatingProcessCommandLine != @"svchost.exe -k netsvcs -p -s gpsvc" and InitiatingProcessCommandLine != @"msiexec.exe /V" and InitiatingProcessAccountName != @"system"
5 | | where InitiatingProcessParentId != 0
6 | References
7 |
--------------------------------------------------------------------------------
/Defense Evasion/DefenderLocalOverride.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceRegistryEvents
5 | | where ActionType == @"RegistryValueSet"
6 | | where RegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths"
7 |
8 |
9 | References:
10 |
--------------------------------------------------------------------------------
/Defense Evasion/EDRSandblast.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Suspicious Driver Loads Indicative of EDR Bypass
2 |
3 | ## Description
4 | This detection rule identifies the loading of suspicious drivers, such as `WN_64.sys` and `wnbios.sys`, which are commonly associated with techniques used to bypass Endpoint Detection and Response (EDR) systems. Attackers may use malicious or modified drivers to disable security software, avoid detection, and establish a foothold within the system. The identified drivers have been linked to sophisticated extortion and ransomware campaigns, as described by Palo Alto Networks' Unit 42 in their analysis of EDR bypass techniques.
5 |
6 | Monitoring driver load events for these specific filenames can help detect early signs of an attempted security bypass and give security teams the opportunity to investigate and mitigate the threat before further damage occurs.
7 |
8 | - [Palo Alto Networks Unit 42: EDR Bypass Extortion Attempt](https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/?pdf=download&lg=en&_wpnonce=70be2dde45)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceEvents` where:
12 | - The `ActionType` is `"DriverLoad"`.
13 | - The `FileName` includes `"WN_64.sys"` or `"wnbios.sys"`.
14 |
15 | ## Tags
16 | - EDR Bypass
17 | - Driver Load
18 | - Security Evasion
19 | - Ransomware
20 | - Suspicious Activity
21 |
22 | ## Search Query
23 | ```kql
24 | DeviceEvents
25 | | where ActionType == "DriverLoad"
26 | | where FileName has_any("WN_64.sys", "wnbios.sys")
27 | ```
28 |
29 | You can add the following line to detect the specific vulnerable drivers
30 | ```| extend parsed = parse_json(AdditionalFields)
31 | | where FileName has_any("WN_64.sys", "wnbios.sys") or parsed.ImageSHA256 has_any("6106d1ce671b92d522144fcd3bc01276a975fe5d5b0fde09ca1cca16d09b7143","6106d1ce671b92d522144fcd3bc01276a975fe5d5b0fde09ca1cca16d09b7143")
32 | ```
33 |
--------------------------------------------------------------------------------
/Defense Evasion/EventLogTamperingRegistry.md:
--------------------------------------------------------------------------------
1 | # Rule : Windows Event Log Access Tampering Via Registry modification
2 |
3 | ## Description
4 | This detection rule identifies attempts to modify Windows registry keys associated with the Event Log service and its channels, specifically targeting keys that end with "CustomSD" or "ChannelAccess". Adversaries may alter these registry settings to disable or manipulate event logging, hindering forensic investigations and enabling persistence or further malicious activity.
5 |
6 | By flagging registry value set actions on these keys, this rule helps detect efforts to tamper with Windows Event Log security descriptors, which is a common tactic used to evade detection.
7 |
8 | - [Sigma Rule: Registry Set Disable Windows Event Log Access](https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_windows_event_log_access/)
9 |
10 | ## Detection Logic
11 | - **Monitored Events:**
12 | The rule monitors `DeviceRegistryEvents` for actions where:
13 | - The `RegistryKey` contains "EventLog" or "Channels".
14 | - The `ActionType` is "RegistryValueSet".
15 | - **Suspicious Activity:**
16 | Flags events where the `RegistryKey` ends with either "CustomSD" or "ChannelAccess", which may indicate an attempt to alter the security descriptors for event logging.
17 |
18 | ## Tags
19 | - Registry Modification
20 | - Event Log Tampering
21 | - Windows Security
22 | - Persistence
23 | - Evasion
24 | - Malicious Activity
25 |
26 | ## Search Query
27 | ```kql
28 | DeviceRegistryEvents
29 | | where RegistryKey has_any ("EventLog", "Channels") and ActionType == "RegistryValueSet"
30 | | where RegistryKey endswith "CustomSD" or RegistryKey endswith "ChannelAccess"
31 | ```
32 |
--------------------------------------------------------------------------------
/Defense Evasion/Peaklightinfection.md:
--------------------------------------------------------------------------------
1 | # Rule : Peaklight Masquerading with PowerShell and Media Player files
2 |
3 | ## Description
4 | This detection rule identifies instances of PowerShell being executed alongside media player executables, such as `wmplayer.exe`, `setup_wm.exe`, or `Microsoft.Media.Player.exe`, as well as PowerShell executions involving `.mp4` files in the `appdata` directory. This behavior is commonly associated with stealthy, memory-only malware attacks, such as Peaklight, which leverages masquerading techniques to evade detection.
5 |
6 | Peaklight malware is known for its ability to avoid writing files to disk by operating entirely in memory, using trusted system processes to appear legitimate. This makes detection more difficult. In this scenario, attackers abuse PowerShell to launch malware while masquerading it as media playback activity, exploiting user expectations and disguising malicious intent behind seemingly benign processes.
7 |
8 | By leveraging this detection, security teams can identify potential malicious activity masquerading as media players and block attempts to evade traditional defenses.
9 |
10 | - [Peaklight: Decoding Stealthy Memory-Only Malware](https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware)
11 | - [Masquerading Technique T1036: Malware Peaklight Defense Evasion](https://github.com/Sam0x90/CB-Threat-Hunting/blob/789fa8c238afd02059cd1ceadcdddbd146fcbf93/Detections/Malwares%26Tools/malware_peaklight_defense_evasion_t1036_masquerading_powershell_by_opening_video_file_as_expected_by_the_user.yaml)
12 |
13 | ## Detection Logic
14 | - Monitors `DeviceProcessEvents` for events where:
15 | - The `InitiatingProcessFileName` is `"powershell.exe"`, and
16 | - The `FileName` is `"setup_wm.exe"`, `"wmplayer.exe"`, or `"Microsoft.Media.Player.exe"`, or
17 | - The `ProcessCommandLine` contains both `"appdata"` and `".mp4"`.
18 |
19 | ## Tags
20 | - Process Events
21 | - Masquerading
22 | - PowerShell
23 | - Memory-Only Malware
24 | - Defense Evasion
25 | - Suspicious Activity
26 |
27 | ## Search Query
28 | ```kql
29 | DeviceProcessEvents
30 | | where InitiatingProcessFileName == "powershell.exe"
31 | | where FileName in ("setup_wm.exe", "wmplayer.exe", "Microsoft.Media.Player.exe")
32 | or (ProcessCommandLine contains "appdata" and ProcessCommandLine contains ".mp4")
33 |
--------------------------------------------------------------------------------
/Defense Evasion/Rundllwithoutcommandline.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where FileName == "rundll32.exe" or ProcessVersionInfoOriginalFileName == @"RUNDLL32.EXE"| where ProcessCommandLine matches regex "^$"
6 |
7 | References:
8 |
9 | Notes:
10 |
--------------------------------------------------------------------------------
/Defense Evasion/Vssadmindelete.kql:
--------------------------------------------------------------------------------
1 | name: Defense Evasion, Indicators Shadow Copy Deletion
2 | description: Shadow Copies deletion using Vssadmin or Wmic
3 | references: https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
4 | tags: Defense Evasion, T1490,T1070
5 | search_query:
6 | (DeviceProcessEvents
7 | | where FileName has_any ("vssadmin.exe","wmic.exe") and (ProcessCommandLine contains "shadow" and ProcessCommandLine contains "delete")
8 | )
9 | Notes:
10 |
--------------------------------------------------------------------------------
/Defense Evasion/rnpkeysDllHijack.md:
--------------------------------------------------------------------------------
1 | # Rule : Thunderbird rnpkeys.exe DLL Hijacking - StealC InfoStealer
2 |
3 | ## Description
4 | This detection rule identifies the execution of `rnpkeys.exe` associated with the Thunderbird email client. The `rnpkeys.exe` process is related to the handling of cryptographic keys in Thunderbird. Monitoring this process is essential because it could be exploited by malicious actors to manipulate encryption keys, potentially compromising secure communications. According to the MITRE ATT&CK framework, such manipulations fall under "DLL Search Order Hijacking" (T1574.001), where adversaries may exploit the search order to load malicious DLLs.
5 |
6 | This rule helps detect and audit the usage of `rnpkeys.exe` within Thunderbird, ensuring that only legitimate key operations are performed and providing an early warning for potential malicious activities.
7 |
8 | Seen in version 115.6.0
9 | and the dll file name is rnp.dll
10 | - [MITRE ATT&CK: DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001/)
11 |
12 | ## Detection Logic
13 | ### DeviceProcessEvents
14 | - Monitors `DeviceProcessEvents` for events where:
15 | - The `FileName` contains "rnpkeys.exe".
16 | - The `ProcessVersionInfoProductName` is "Thunderbird".
17 |
18 | ### DeviceImageLoadEvents
19 | - Monitors `DeviceImageLoadEvents` for events where:
20 | - The `InitiatingProcessFileName` contains "rnpkeys.exe".
21 |
22 | ## Tags
23 | - Thunderbird
24 | - Cryptographic Keys
25 | - rnpkeys.exe
26 | - Email Security
27 | - Process Monitoring
28 | - DLL Search Order Hijacking
29 | - MITRE ATT&CK T1574.001
30 | - Suspicious Activity
31 |
32 | ## Search Query
33 | ```kql
34 | DeviceProcessEvents
35 | | where FileName contains "rnpkeys.exe"
36 | | where ProcessVersionInfoProductName == "Thunderbird"
37 | ```
38 | ```kql
39 | DeviceImageLoadEvents
40 | | where InitiatingProcessFileName contains "rnpkeys.exe"
41 | ```
42 |
--------------------------------------------------------------------------------
/Discovery/EnumerationShortperiod.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | DeviceProcessEvents
4 | | where InitiatingProcessParentFileName =~ "cmd.exe" and FileName in ( "tasklist.exe","arp.exe", "at.exe", "attrib.exe", "dsquery.exe", "hostname.exe", "ipconfig.exe", "mimikatz.exe", "nbtstat.exe", "net.exe", "netsh.exe", "nslookup.exe", "ping.exe", "quser.exe", "qwinsta.exe", "reg.exe", "runas.exe", "schtasks.exe", "ssh.exe", "systeminfo.exe", "taskkill.exe", "telnet.exe", "tracert.exe", "wscript.exe", "xcopy.exe", "pscp.exe", "copy.exe", "robocopy.exe", "certutil.exe", "vssadmin.exe", "wevtutil.exe", "psexec.exe", "bcedit.exe", "wbadmin.exe", "icacls.exe", "diskpart.exe")
5 | and InitiatingProcessParentFileName != @"services.exe"
6 | | summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId),DiscoveryCommands = dcount(ProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(ProcessCommandLine) by DeviceId, DeviceName, bin(Timestamp, 30m)
7 | | where DiscoveryCommands >= 3
8 | References:
9 |
--------------------------------------------------------------------------------
/Discovery/RundllSuspicious.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where InitiatingProcessFileName contains "rundll" or InitiatingProcessVersionInfoInternalFileName == @"rundll"
6 | | where FileName has_any ("cmd.exe","powershell", "powershell_ise") and InitiatingProcessCommandLine !contains @"zzzzInvokeManagedCustomActionOutOfProc"
7 | References:
8 |
9 |
10 | Notes:
11 |
--------------------------------------------------------------------------------
/Execution/CSCSuspiciousExecutions.kql:
--------------------------------------------------------------------------------
1 | Tags
2 | Query:
3 | DeviceProcessEvents
4 | | where ProcessVersionInfoFileDescription == @"Visual C# Command Line Compiler"
5 | | where InitiatingProcessParentFileName == @"cmd.exe" | where InitiatingProcessCommandLine !contains @"google\mFit" | where InitiatingProcessCommandLine !contains @"[Elam]::InstallWdBoot"
6 | Rerences:
7 |
--------------------------------------------------------------------------------
/Execution/DiscordDriveby.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 |
5 | DeviceFileEvents
6 | | where isnotempty(FileOriginUrl)
7 | | where FileOriginUrl contains "cdn.discordapp.com/attachments/" or FileOriginReferrerUrl contains "cdn.discordapp.com/attachments/" | where FileName contains "pass"
8 |
9 |
10 | References:
11 |
--------------------------------------------------------------------------------
/Execution/DismLinuxSubsystem.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where FileName contains "Dism.exe" or ProcessVersionInfoInternalFileName == @"dism" | where ProcessCommandLine contains "Subsystem"
6 | Refernces:
7 |
--------------------------------------------------------------------------------
/Execution/EmailAttachmentExecuted.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | EmailAttachmentInfo
5 | | where isnotempty(SHA256)
6 | |join (
7 | DeviceProcessEvents
8 | | project DeviceName,FileName, SHA256
9 | ) on SHA256
10 | | project Timestamp, DeviceName , FileName, SHA256, SenderFromAddress, RecipientEmailAddress
11 |
12 | References:
13 |
--------------------------------------------------------------------------------
/Execution/LatrodectusFileCreation.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Suspicious MSI and DLL Activity Associated with Latrodectus Malware
2 |
3 | ## Description
4 | This detection rule identifies suspicious file and process activities that could be indicative of Latrodectus malware or similar threats. The query monitors for specific file paths, particularly MSI files and the `aclui.dll`, often used in malicious contexts, in combination with `msiexec` or `rundll32` processes. Latrodectus malware, as described in recent analyses, leverages these files and processes to execute payloads and achieve persistence on infected systems.
5 |
6 | Latrodectus is a sophisticated malware family known for its ability to evade detection and deliver various payloads, including information stealers and ransomware. This rule is designed to detect the early stages of Latrodectus infection, focusing on suspicious file creations and process executions that are not typically associated with legitimate software installations or updates.
7 |
8 | - [Latrodectus Malware Analysis](https://blog.krakz.fr/articles/latrodectus/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceFileEvents` for events where:
12 | - The `FolderPath` contains any of the following suspicious files:
13 | - `"aclui.dll"`,
14 | - `"Roaming\\capisp"`,
15 | - `"temp\\vpn.msi"`,
16 | - `"neuro.msi"`,
17 | - `"bst.msi"`,
18 | - `"aes256.msi"`,
19 | - `"neo.msi"`,
20 | - `"bim.msi"`,
21 | - `"WSC.msi"`.
22 | - The `InitiatingProcessCommandLine` includes `"msiexec"` or `"rundll32"`.
23 |
24 | ## Tags
25 | - Latrodectus Malware
26 | - Suspicious MSI Activity
27 | - DLL Hijacking
28 | - Process Execution
29 | - MITRE ATT&CK T1059 (Command and Scripting Interpreter)
30 | - Persistence
31 | - Suspicious Activity
32 |
33 | ## Search Query
34 | ```kql
35 | DeviceFileEvents
36 | | where FolderPath has_any ("aclui.dll", "Roaming\\capisp", "temp\\vpn.msi", "neuro.msi", "bst.msi","aes256.msi","neo.msi","bim.msi","WSC.msi")
37 | | where InitiatingProcessCommandLine has_any("msiexec", "rundll32")
38 |
--------------------------------------------------------------------------------
/Execution/MSHTAExecutions.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where InitiatingProcessFileName contains "mshta.exe"
6 | and ProcessCommandLine has_any ("javascript", "about" , "vbscript", "http", "ftp")
7 | Refernces:
8 |
--------------------------------------------------------------------------------
/Execution/MaliciousNamedPipes.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query://This need a bit of fixing
4 | let badPipeNames = pack_array('psexesvc','paexec','remcom');
5 | DeviceEvents
6 | | where ActionType == "NamedPipeEvent"
7 | | extend ParsedFields=parse_json(AdditionalFields)
8 | //| where ParsedFields.FileOperation == "File created"
9 | //tolower(tostring(split(FileName,'\\')[-1]))
10 | | extend foo = tolower(tostring(split(ParsedFields.PipeName,'\\')[-1]))
11 | | project foo, ParsedFields.PipeName
12 | | where foo in(badPipeNames)
13 |
--------------------------------------------------------------------------------
/Execution/MicrosoftWorkflowCompiler.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | DeviceProcessEvents
4 | | where ProcessVersionInfoInternalFileName == @"Microsoft.Workflow.Compiler.exe"
5 |
6 | References:
7 |
--------------------------------------------------------------------------------
/Execution/MusciFolderExecution.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceFileEvents
5 | | where ActionType == @"FileCreated" and FolderPath contains "music" and FolderPath contains "users" and FileName endswith ".exe"
6 | and InitiatingProcessAccountName != @"system" and InitiatingProcessVersionInfoCompanyName != @"Parallels International GmbH"
7 | | invoke FileProfile()
8 | | where GlobalPrevalence <= 10
9 | References:
10 |
--------------------------------------------------------------------------------
/Execution/NodeJSSuspiciousExecutions.md:
--------------------------------------------------------------------------------
1 | # Rule : Suspicious Node.js Process Execution with PowerShell
2 |
3 | ## Description
4 | This detection rule identifies suspicious executions of `node.exe` that include potentially malicious command-line arguments. Attackers often use Node.js (`node.exe`) to execute system commands, including PowerShell, to gain unauthorized access, execute malicious scripts, or establish persistence on a compromised system.
5 |
6 | By monitoring Node.js processes with command-line arguments containing HTTP-related operations (`http`), child process creation functions (`spawn`, `execSync`), JavaScript constants (`const`), and PowerShell execution, this rule helps detect potential exploitation, malware execution, or unauthorized command execution.
7 |
8 | ## Detection Logic
9 | - **Monitors `DeviceProcessEvents`** for processes where:
10 | - The `FileName` contains `"node.exe"`, and
11 | - The `ProcessCommandLine` contains all of the following indicators:
12 | - `"http"` (indicating potential external network connections)
13 | - `"spawn"` or `"execSync"` (indicating child process creation)
14 | - `"const"` (a JavaScript keyword commonly used in malicious scripts)
15 | - `"powershell"` (indicating potential command execution via PowerShell)
16 |
17 | ## Tags
18 | - Node.js Execution
19 | - PowerShell Execution
20 | - Suspicious Command Execution
21 | - Process Monitoring
22 | - Code Execution via Node.js
23 |
24 | ## Search Query
25 | ```kql
26 | DeviceProcessEvents
27 | | where FileName contains "node.exe"
28 | | where ProcessCommandLine has_all ("http", "spawn", "execSync", "const", "powershell")
29 |
--------------------------------------------------------------------------------
/Execution/OfficeSmartScreen.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceEvents
5 | | where ActionType == "SmartScreenAppWarning" //where ActionType == 'SmartScreenUserOverride' for when users ignored the warning and proceeded to execute the file
6 | | extend data = parse_json(AdditionalFields)
7 | | extend Experience = parse_json(data).Experience
8 | | where FileName !in () //Exclusions by filename goes here
9 | | project Timestamp, DeviceName, ActionType, FileName, InitiatingProcessFileName, Experience, InitiatingProcessAccountUpn, DeviceId, ReportId
10 |
11 | References
12 |
--------------------------------------------------------------------------------
/Execution/OneNoteZeroday.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | DeviceProcessEvents
4 | | where InitiatingProcessFileName contains "onenote" and FileName !in ("crashpad_handler.exe", "conhost.exe","MSOSYNC.EXE","msedge.exe","msedgewebview2.exe","chrome.exe","firefox.exe","opera.exe","brave.exe","iexplore.exe","WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","AcroRd32.exe","Acrobat.exe","ONENOTEM.exe","OUTLOOK.exe","ai.exe","Teams.exe","notepad.exe","protocolhandler.exe","ONENOTE.EXE","splwow64.exe")
5 | | where FileName != @"ONENOTEM.EXE" and FolderPath != @"/usr/bin/codesign" and FolderPath != @"C:\Windows\System32\DWWIN.EXE"
6 | References:
7 |
--------------------------------------------------------------------------------
/Execution/PSexecNamedPipe.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceEvents
5 | | where ActionType contains "pipe"
6 | | extend parsed = parse_json(AdditionalFields)
7 | | where parsed.PipeName contains "psexesvc"
8 | References:
9 |
--------------------------------------------------------------------------------
/Execution/PowershellDLLexecutions.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Queries:
4 | DeviceImageLoadEvents
5 | | where FileName contains "system.management.automation"
6 | | where InitiatingProcessFileName != @"powershell.exe"
7 | | where InitiatingProcessFileName != @"monitoringhost.exe"
8 | | where InitiatingProcessFileName != @"mscorsvw.exe"
9 | | where InitiatingProcessFileName != @"wa_3rd_party_host_32.exe"
10 | | where InitiatingProcessFileName != @"lenovo.modern.imcontroller.pluginhost.companionapp.exe"
11 | | where InitiatingProcessFileName != @"sdiagnhost.exe"
12 | | where InitiatingProcessFolderPath has_any ("temp", "users")
13 |
14 | References:
15 |
16 | Notes:
17 | This will be false positives prone
18 |
--------------------------------------------------------------------------------
/Execution/PowershellSuspiciousStrings.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where FileName in~ ("powershell.exe", "powershell_ise.exe")
6 | | where ProcessCommandLine has_any("Net.WebClient","DownloadFile","Invoke-WebRequest", "Invoke-Shellcode", "http","IEX","BitsTransfer","mpcmdrun.exe","downloadstring","Invoke-Expression","Invoke","-e","[System.Convert]::FromBase64String()", "-en","-noni", "-nop", "mimikatz")
7 | | where InitiatingProcessFileName != @"CcmExec.exe" | where InitiatingProcessVersionInfoCompanyName != @"Slack Technologies Inc." | where InitiatingProcessVersionInfoFileDescription != @"Snow Inventory Agent for Windows"
8 |
9 | References:
10 |
--------------------------------------------------------------------------------
/Execution/PowershellV2Downgrade.KQL:
--------------------------------------------------------------------------------
1 | name: Execution, Potential PowerShell Downgrade Attack
2 | description: Detects PowerShell downgrade attack through commandline analysis
3 | references: https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_downgrade_attack
4 | tags: Execution, T1059.001
5 | search_query:
6 | (DeviceProcessEvents
7 | | where FileName in~ ("powershell.exe", "powershell_ise.exe")
8 | | where ProcessCommandLine has "-v 2"
9 | or ProcessCommandLine has "-v 2.0"
10 | or ProcessCommandLine has "-version 2"
11 | or ProcessCommandLine has "-versi 2"
12 | or ProcessCommandLine has "-vers 2"
13 | or ProcessCommandLine has "-ver 2"
14 | or ProcessCommandLine has "-ve 2"
15 | or ProcessCommandLine has "-ve 2"
16 | or ProcessCommandLine has "-version 2.0"| where InitiatingProcessFileName != "MonitoringHost.exe")
17 |
--------------------------------------------------------------------------------
/Execution/SuccesfullExploitationofPDFreaders.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where InitiatingProcessFileName in ("AcroRd32.exe","Acrobat.exe","FoxitPhantomPDF.exe","FoxitReader.exe")
6 | and FileName in ("arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe",
7 | "whoami.exe", "bginfo.exe", "cdb.exe", "cmstp.exe", "csi.exe", "dnx.exe", "fsi.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "Microsoft.Workflow.Compiler.exe", "msbuild.exe", "mshta.exe",
8 | "msxsl.exe", "odbcconf.exe", "rcsi.exe", "regsvr32.exe", "xwizard.exe", "atbroker.exe","forfiles.exe", "schtasks.exe", "regasm.exe", "regsvcs.exe", "cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "bitsadmin.exe", "certutil.exe", "ftp.exe")
9 | References:
10 |
--------------------------------------------------------------------------------
/Execution/Suspicious CLFS Driver Load.md:
--------------------------------------------------------------------------------
1 | # Rule: Suspicious CLFS Driver Load
2 |
3 | ## Description
4 | This detection rule identifies suspicious loading of the CLFS driver, which may indicate an attempt to inject or manipulate kernel modules for malicious purposes. The CLFS (Common Log File System) driver, normally located in a trusted system directory, is a critical component for managing log files in Windows. When this driver is loaded from an unexpected location or in an unusual context, it can be an indicator of kernel-level compromise or persistence mechanisms employed by adversaries.
5 |
6 | Monitoring image load events for the CLFS driver can provide early detection of such exploitation attempts, enabling rapid investigation and remediation.
7 |
8 | - [Sigma Rule: Image Load CLFS Load](https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_clfs_load/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceImageLoadEvents` for events where the loaded image corresponds to the CLFS driver (e.g., `clfs.sys`).
12 | - Flags events that deviate from normal, trusted behavior for the CLFS driver load (e.g., loading from non-standard directories).
13 |
14 | ## Tags
15 | - Windows Security
16 | - Image Load Events
17 | - Suspicious Driver Load
18 | - Kernel Module Manipulation
19 | - Persistence
20 | - CLFS
21 | - CVE-2024-38196
22 |
23 | ## Search Query
24 | ```kql
25 | DeviceImageLoadEvents
26 | | where FileName endswith "clfs.sys"
27 | | where not( FolderPath startswith @"C:\Windows\System32\drivers\" )
28 | ```
29 | ## Exclusions
30 | you might need to exclude legit path's in your enviroment
31 |
--------------------------------------------------------------------------------
/Execution/SuspiciousMMC.kql:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/Execution/SuspiciousMSC.KQL:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Suspicious Microsoft Common Console file Execution
2 |
3 | ## Description
4 | Detects Microsoft Management Console (MMC) Microsoft Common Console file Execution
5 | https://www.genians.co.kr/blog/threat_intelligence/facebook
6 |
7 | ## Detection Logic
8 | - Filters `DeviceProcessEvents` for MMC executions containing "mmc" and ".msc".
9 | - Excludes processes from `C:\Windows\system32\`.
10 | - Filters out "vbc.exe" and "WerFault.exe".
11 |
12 | ## Tags
13 | - Execution Monitoring
14 | - Privilege Escalation
15 |
16 | ## Search Query
17 | ```kql
18 | DeviceProcessEvents
19 | | where InitiatingProcessCommandLine has_all ("mmc", @".msc")
20 | | where not(InitiatingProcessCommandLine matches regex @"(?i)[A-Za-z]:\\Windows\\system32\\.*")
21 | | where ProcessVersionInfoInternalFileName !in ("vbc.exe", "WerFault.exe")
22 |
--------------------------------------------------------------------------------
/Execution/SuspiciousPDQDeployRunnerChild.KQL:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Suspicious Child Processes of PDQ Deploy Runner (Windows)
2 |
3 | ## Description
4 | This detection rule identifies suspicious child processes spawned by the `PDQDeployRunner.exe` process. PDQ Deploy is a legitimate software deployment tool, but it can be misused by attackers to execute malicious payloads. This rule monitors for unusual child processes that may indicate malicious activity.
5 |
6 | - [Detection.FYI on Suspicious Child Processes of PDQ Deploy Runner](https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children/)
7 |
8 | ## Detection Logic
9 | - Monitors `DeviceProcessEvents` for child processes spawned by `PDQDeployRunner.exe`.
10 | - Identifies unusual or suspicious processes that are not commonly associated with legitimate PDQ Deploy activities.
11 |
12 | ## Tags
13 | - Execution
14 | - Process Creation
15 | - PDQ Deploy
16 | - Suspicious Activity
17 |
18 | ## Search Query
19 | ```kql
20 | DeviceProcessEvents
21 | | where InitiatingProcessParentFileName contains "PDQDeployRunner"
22 | | where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe", "taskkill.exe", "at.exe", "wmic.exe", "bitsadmin.exe")
23 |
24 | Notes:
25 | Exclude trusted processes within your network
26 |
--------------------------------------------------------------------------------
/Execution/SuspiciousServiceInstalled:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceEvents
5 | | where ActionType == "ServiceInstalled"
6 | | where FolderPath !contains "C:\\ProgramData" and FolderPath !contains "C:\\Windows" and FolderPath !contains "C:\\Program File" and FolderPath !contains "\\systemroot\\" and FolderPath !contains "%systemroot%"
7 | | where InitiatingProcessFolderPath !contains "C:\\ProgramData" and InitiatingProcessFolderPath !contains "C:\\Program File" and InitiatingProcessFolderPath !contains "C:\\Windows"
8 | References:
9 |
--------------------------------------------------------------------------------
/Execution/UnsginedExecutionsfromuserdirectories.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Unsigned Executable Launches from User Directories
2 |
3 | ## Description
4 | This detection rule identifies instances where unsigned or suspiciously signed executable files (`.exe`) are launched from common user directories—such as `\Users\`, `\Downloads\`, `\AppData\`, and `\Temp\`—by typical user-facing applications like **Explorer**, **Google Chrome**, or **Microsoft Edge**. Such behavior is often indicative of malicious activity, where attackers trick users into downloading and executing harmful payloads through familiar applications.
5 |
6 | The relevance of this detection is underscored by incidents like the **Fake Zoom Installer** campaign, where users were deceived into downloading a malicious Zoom installer. This installer executed additional payloads, leading to severe compromises, including ransomware deployment. Monitoring for unsigned executables originating from user directories can help in early detection of such deceptive tactics.
7 |
8 | - [Fake Zoom Ends in BlackSuit Ransomware](https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/)
9 |
10 | ## Detection Logic
11 | - **Monitored Directories:**
12 | - `\Users\`
13 | - `\Downloads\`
14 | - `\AppData\`
15 | - `\Temp\`
16 |
17 | - **Signature Status:**
18 | - `Unknown`
19 | - `Unsigned`
20 | - `Invalid`
21 |
22 | - **File Type:**
23 | - Files ending with `.exe`
24 |
25 | - **Exclusions:**
26 | - Processes associated with known legitimate software, such as:
27 | - **Telegram** (`Telegram FZ-LLC`)
28 | - **Zoom**
29 |
30 | - **Initiating Processes:**
31 | - `explorer.exe`
32 | - `chrome.exe`
33 | - `msedge.exe`
34 |
35 | ## Tags
36 | - Unsigned Executables
37 | - User Directory Execution
38 | - Initial Access
39 | - Malware Delivery
40 | - Windows Security
41 | - Fake Installer Detection
42 |
43 | ## Search Query
44 | ```kql
45 | DeviceProcessEvents
46 | | where FolderPath has_any ("\\Users\\", "\\Downloads\\", "\\AppData\\", "\\Temp\\")
47 | | where InitiatingProcessSignatureStatus in ("Unknown", "Unsigned", "Invalid")
48 | | where FileName endswith ".exe"
49 | | where ProcessVersionInfoCompanyName != "Telegram FZ-LLC"
50 | | where ProcessVersionInfoProductName != "Zoom"
51 | | where InitiatingProcessVersionInfoFileDescription != "Google Chrome"
52 | | where InitiatingProcessFileName in~ ("explorer.exe", "chrome.exe", "msedge.exe")
53 | ```
54 | ## Notes
55 | Exclude and fine tune in your enviroment
56 |
--------------------------------------------------------------------------------
/Execution/WMISBMExec.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where FileName == @"cmd.exe" and ProcessCommandLine contains @"2>" and ProcessCommandLine contains @"$"
6 | References:
7 |
--------------------------------------------------------------------------------
/Execution/WebDavTempFiles.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 | - attack.initial_access
3 | - attack.execution
4 | Query:
5 | DeviceFileEvents
6 | | where InitiatingProcessFileName contains "rundll32.exe" | where FolderPath contains "TfsStore" /* you could change it to InitiatingProcessVersionInfoInternalFileName contains "rundll"*/
7 | | where FileName endswith ".vbs" or FileName endswith'.ps1' or FileName endswith '.lnk' or FileName endswith '.zip' or FileName endswith'.ico' or FileName endswith '.bat'
8 |
9 |
10 | References:
11 | https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
12 | https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
13 |
--------------------------------------------------------------------------------
/Execution/WebdavExecution.kql:
--------------------------------------------------------------------------------
1 | Suspicious File Execution From a WebDav Share. this was tested in my environment you can exclude based on yours
2 | Tags:
3 | - attack.execution
4 |
5 | Query:
6 | DeviceProcessEvents
7 | | where ProcessCommandLine contains "DavWWWRoot" | where InitiatingProcessFileName != @"AcroRd32.exe"
8 | | where ProcessVersionInfoInternalFileName != @"VISIO.EXE"
9 |
10 | References
11 | https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml
12 | https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
13 |
--------------------------------------------------------------------------------
/Execution/Winexe/NamedPipeDetection.KQL:
--------------------------------------------------------------------------------
1 | name: Execution, Indicators of usage of winexe for lateral movement
2 | description: Detects usage of winexe through named pipe creation
3 | references: https://attack.mitre.org/software/S0191/,https://community.netwitness.com/t5/netwitness-community-blog/detecting-lateral-movement-in-rsa-netwitness-winexe/ba-p/520480
4 | tags: Execution, S0191
5 | search_query:
6 | (DeviceEvents
7 | | where ActionType == "NamedPipeEvent"
8 | | extend ParsedFields=parse_json(AdditionalFields)
9 | | where ParsedFields.FileOperation == "File created"
10 | | where ParsedFields.PipeName has_any ("ahexec", "wmcex")
11 | Notes:
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/Execution/Winexe/ServinceInstall.KQL:
--------------------------------------------------------------------------------
1 |
2 | name: Execution, Indicators of usage of winexe for lateral movement
3 | description: Detects service install of winexe remote admion tool
4 | references: https://attack.mitre.org/software/S0191/,https://community.netwitness.com/t5/netwitness-community-blog/detecting-lateral-movement-in-rsa-netwitness-winexe/ba-p/520480
5 | tags: Execution, S0191
6 | search_query:
7 | (DeviceEvents
8 | | where ActionType == 'ServiceInstalled'
9 | | extend parsed = parse_json(AdditionalFields)
10 | | where parsed.ServiceName has ("winexesvc")
11 | Notes:
12 |
13 |
--------------------------------------------------------------------------------
/Execution/gpresult.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | DeviceProcessEvents
4 | | where FileName has_any("gpresult.exe","gprslt.exe") | where ProcessCommandLine has_any ("/z", "/v", "/r", "/x") and InitiatingProcessCommandLine !contains "Connect-ExchangeServer"
5 | //(process.name: "gpresult.exe" or process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x")
6 | References:
7 |
--------------------------------------------------------------------------------
/Exfiltration/Anydesk/Readme:
--------------------------------------------------------------------------------
1 | README.MD
2 |
--------------------------------------------------------------------------------
/Exfiltration/BlackSuitbublupexfil.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Data Exfiltration to Bublup.com
2 |
3 | ## Description
4 | This detection rule identifies potential **data exfiltration** attempts by monitoring network connections to `bublup.com`, a legitimate file sharing and storage platform that has been **abused by threat actors**, including the **BlackSuit ransomware group**. During documented intrusions, adversaries used this service to upload exfiltrated data, often as part of double extortion campaigns.
5 |
6 | Connections to `bublup.com` may be uncommon in enterprise environments. When observed—especially outside known business workflows—they may represent staging or exfiltration activity in the later stages of an attack.
7 |
8 | - [The DFIR Report: Fake Zoom Ends in BlackSuit Ransomware](https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/)
9 | - [Unit 42: BlackSuit Ransomware – Ignoble Scorpius](https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/)
10 |
11 | ## Detection Logic
12 | - Monitors `DeviceNetworkEvents` where:
13 | - The `RemoteUrl` contains `"bublup.com"`.
14 |
15 | ## Tags
16 | - Data Exfiltration
17 | - Cloud Abuse
18 | - Bublup
19 | - BlackSuit Ransomware
20 | - Post-Exploitation
21 | - Suspicious Network Activity
22 |
23 | ## Search Query
24 | ```kql
25 | DeviceNetworkEvents
26 | | where RemoteUrl contains "bublup.com"
27 | ```
28 |
--------------------------------------------------------------------------------
/Exfiltration/ExportMailbox.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | DeviceProcessEvents
4 | | where InitiatingProcessFileName has_any ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and ProcessCommandLine has_any ("*MailboxExportRequest*", "*-Mailbox*-ContentFilter*")
5 | References:
6 |
--------------------------------------------------------------------------------
/Exfiltration/FreeSSLProviders.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | DeviceNetworkEvents
4 | | where RemoteUrl has_any ("letsencrypt.org", "sslforfree.com", "zerossl.com", "freessl.org")
5 | | where InitiatingProcessFolderPath !startswith @"c:\program files" | where InitiatingProcessParentFileName != @"SenseIR.exe" and InitiatingProcessVersionInfoProductName != @"Windows ACME Simple (WACS)" and InitiatingProcessVersionInfoCompanyName != @"Wouter Tinus and many others"
6 | References:
7 |
--------------------------------------------------------------------------------
/Exfiltration/Rclone/RcloneFileProperties.kql:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Detection of rclone or Rsync Process Activity
2 |
3 | ## Description
4 | This detection rule identifies activity related to the execution of the rclone tool or processes associated with Rsync. Both rclone and Rsync are legitimate tools commonly used for file synchronization and transfer. However, their presence or activity may also indicate potential data exfiltration or unauthorized file transfers if used maliciously.
5 |
6 | ## Detection Logic
7 | - Monitors `DeviceProcessEvents` for processes where:
8 | - The `ProcessVersionInfoOriginalFileName` contains "rclone", or
9 | - The `FileName` contains "rclone", or
10 | - The `ProcessVersionInfoFileDescription` contains "Rsync".
11 |
12 | ## Tags
13 | - Execution
14 | - File Transfer
15 | - Data Exfiltration
16 | - Rsync
17 | - rclone
18 | - Suspicious Activity
19 |
20 | ## Search Query
21 | ```kql
22 | DeviceProcessEvents
23 | | where ProcessVersionInfoOriginalFileName contains "rclone" or FileName contains "rclone"
24 | or ProcessVersionInfoFileDescription contains "Rsync"
25 |
--------------------------------------------------------------------------------
/Exfiltration/Rclone/RcloneMSThreatReport.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | DeviceProcessEvents | where ProcessVersionInfoProductName has "rclone" | where ( ProcessCommandLine has_all ("rclone", "lsd", "remote:", @"ftp:", "mega", "--config", "--auto-confirm") ) or ( ProcessCommandLine has "--multi-thread-streams" and ProcessCommandLine has_all ('copy', 'config', 'create', 'lsd', 'remote', 'mega', 'user', 'pass', @'--config', @'--progress', @'--no-check-certificate', @'--ignore-existing', @'--auto-confirm', @'--multi-thread-streams', @'--transfers', @'ftp:', @'remote:') ) or (ProcessCommandLine has @"\\") or ( ProcessCommandLine has_all (@"max-age", @"stats-one-line", @"ignore-existing", @"drive-chunk-size", @"transfers", @"include", @"checkers")) or ( ProcessCommandLine has @"*.{xls,xlsx,doc,docx,pdf}") | where not (FolderPath has "chocolatey")
4 |
5 | References:
6 | Microsoft Threat Intel Report titled Data exfiltration using Rclone and other data synchronization tools
7 | https://github.com/mbabinski/Sigma-Rules/blob/2f12b713e8e51dc2c84fdf8c4c4d714999b6e382/2022_BlackCat_Ransomware/win_susp_process_blackcat_exfiltration.yml#L3
8 |
--------------------------------------------------------------------------------
/Exfiltration/Rclone/Rcloneconfigfile.kql:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Detection of rclone Usage in File Events
2 |
3 | ## Description
4 | This detection rule identifies file events related to the usage of the rclone tool. Rclone is a legitimate command-line program used for syncing files and directories to and from various cloud storage providers. However, its usage in certain contexts may indicate potential data exfiltration or unauthorized file operations if used maliciously.
5 |
6 | ## Detection Logic
7 | - Monitors `DeviceFileEvents` for events where:
8 | - The `FolderPath` contains the string "rclone\", and
9 | - The `InitiatingProcessParentFileName` does not equal "Install WD Discovery".
10 |
11 | ## Tags
12 | - File Events
13 | - Data Exfiltration
14 | - Unauthorized File Operations
15 | - Cloud Storage
16 | - rclone
17 | - Suspicious Activity
18 |
19 | ## Search Query
20 | ```kql
21 | DeviceFileEvents
22 | | where FolderPath contains @"rclone\" and InitiatingProcessParentFileName != @"Install WD Discovery"
23 |
24 |
--------------------------------------------------------------------------------
/Exfiltration/RemoteAdminCerts.KQL:
--------------------------------------------------------------------------------
1 | name: Exfiltration, Ransomware Remote Admin Tools
2 | description: Detects existence of common ransomware tools used by threat groups
3 | references:
4 | tags: Exfiltration
5 | search_query: (
6 | let certificates =
7 | DeviceFileCertificateInfo
8 | | where Signer has_any ('Ammyy','Atera Networks', 'Barracuda Networks', 'CONTINUUM MANAGED', 'ScreenConnect', 'DameWare Development', 'Datto Inc', 'Kaseya', 'Level Software, Inc','MSPBytes', 'N-Able Technologies', 'netsupport', 'ninjarmm',
9 | 'Bravura Software LLC', 'Panorama9', 'pcvisit software ag', 'MMSoft Design', 'famatech', 'idrive', 'Remote Utilities', 'Krämer IT Solutions GmbH', 'Splashtop', 'Nanosystems S.R.L.', 'Servably, Inc.', 'AmidaWare', 'Duc Fabulous')
10 | | distinct SHA1
11 | ;
12 | DeviceProcessEvents
13 | | where SHA1 in~ (certificates) )
14 | on_hit: alert
15 |
--------------------------------------------------------------------------------
/Exfiltration/SimonThatamC2Putty.KQL:
--------------------------------------------------------------------------------
1 | name: C2 Simon Tatham tools reaching the internet
2 | index_type: events
3 | description: Detects the usage of tools signed by Simon Tatham such as putty.exe that reaches the internet.
4 | references: n/a
5 | tags: c2
6 | search_query:
7 | let certificates =
8 | DeviceFileCertificateInfo
9 | | where Signer has_any ('simon')
10 | | distinct SHA1
11 | ;
12 | DeviceNetworkEvents
13 | | where InitiatingProcessSHA1 in~ (certificates) and RemoteIPType == "Public"
14 |
15 | on_hit: alert
16 |
--------------------------------------------------------------------------------
/Exploit/SuspiciousMSIExecRRobin.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents | where FileName == "msiexec.exe" and ProcessCommandLine has_any ('http:','https:') and not(ProcessCommandLine has_any('.exe','.msi')) | where ProcessCommandLine has_any ('/q', '-q','-quiet','/quiet','/qn','-qn')
5 |
6 | Reference
7 |
--------------------------------------------------------------------------------
/Initial Acccess/ISOIMGMount.KQL:
--------------------------------------------------------------------------------
1 | name: Initial Access, ISO/IMG File Mounted
2 | description: Detects the mounting of an img file which could indicate a spearphishing attachment
3 | references: https://attack.mitre.org/techniques/T1566/001/
4 | tags: Initial Access, T1566
5 | search_query:
6 | (DeviceFileEvents
7 | | where FileName endswith ".iso.lnk" or FileName endswith ".img.lnk")
8 |
--------------------------------------------------------------------------------
/Initial Acccess/MacroTrustrecords.kql:
--------------------------------------------------------------------------------
1 | name: Initial Access, Indicators of Macro document enabled/trusted by user
2 | description: Detects users enabling a macro based file which could indicate a spearphishing attachment
3 | references: https://attack.mitre.org/techniques/T1566/001/,https://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
4 | tags: Initial Access, T1566.001
5 | search_query:
6 | (DeviceRegistryEvents
7 | | where RegistryKey contains "TrustRecords")
8 | Notes:
9 | This will alert on some legit users, you need to modify it to have proper exclusions
10 |
--------------------------------------------------------------------------------
/Initial Acccess/SuspiciousSQLChildren.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | let suspiciousprocesses = pack_array ("cmd.exe","powershell","bitsadmin.exe","certutil.exe","bginfo.exe",'bash.exe''bitsadmin.exe','cmd.exe','netstat.exe','nltest.exe','ping.exe', 'powershell.exe','pwsh.exe','regsvr32.exe','rundll32.exe','sh.exe','systeminfo.exe','tasklist.exe','wsl.exe');
5 | DeviceProcessEvents
6 | | where Timestamp >= ago(30d)
7 | | where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe")
8 | | where ProcessCommandLine has_any (suspiciousprocesses) and ProcessCommandLine !contains @"MSSQL13.SQL1\MSSQL\Files\Scripts\"
9 | | where ProcessCommandLine != @"""cmd.exe"" /c rename C:\Windows\ServiceProfiles\NetworkService\HaImportDatabaseName.mdf HaDatabaseName.mdf"
10 | | where ProcessCommandLine != @"""cmd.exe"" /c rename C:\Windows\ServiceProfiles\NetworkService\HaImportDatabaseName_log.ldf HaDatabaseName_log.ldf"
11 |
12 |
13 | References:
14 | https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mssql_susp_child_process/
15 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/Lateral Movement/7ZToSMBshare.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of 7-Zip Archiving to SMB Admin Shares
2 |
3 | ## Description
4 | This detection rule identifies suspicious usage of **7-Zip** (`7z.exe`, `7za.exe`, `7zr.exe`) to interact with administrative SMB shares such as **C$**, **Admin$**, or **IPC$**. Attackers may use **7-Zip** to compress and archive files before exfiltrating data via network shares. This technique is commonly associated with **lateral movement** and **data exfiltration** in targeted attacks.
5 |
6 | In many environments, legitimate use of **7-Zip** does not involve direct interaction with administrative network shares. Therefore, monitoring this behavior can help detect potential misuse by adversaries attempting to stage or exfiltrate data.
7 |
8 | - [Splunk Research: 7-Zip Archive Created in SMB Share](https://research.splunk.com/endpoint/01d29b48-ff6f-11eb-b81e-acde48001123/)
9 |
10 | ## Detection Logic
11 | - **Monitors `DeviceProcessEvents`** where:
12 | - The `FileName` or `ProcessVersionInfoOriginalFileName` matches:
13 | - `"7z.exe"`
14 | - `"7za.exe"`
15 | - `"7zr.exe"`
16 | - The `ProcessCommandLine` contains:
17 | - `"\\C$\\"` (Admin Share)
18 | - `"\\Admin$\\"` (Administrative Access)
19 | - `"\\IPC$\\"` (Inter-Process Communication Share)
20 |
21 | ## Tags
22 | - Data Exfiltration
23 | - Lateral Movement
24 | - SMB Share Monitoring
25 | - Suspicious File Archiving
26 | - Windows Security
27 |
28 | ## Search Query
29 | ```kql
30 | DeviceProcessEvents
31 | | where FileName in ("7z.exe", "7za.exe", "7zr.exe")
32 | or ProcessVersionInfoOriginalFileName in ("7z.exe", "7za.exe", "7zr.exe")
33 | | where ProcessCommandLine has_any ("\\C$\\", "\\Admin$\\", "\\IPC$\\")
34 | ```
35 |
--------------------------------------------------------------------------------
/Linux/BPFKprobe.md:
--------------------------------------------------------------------------------
1 | # Rule : BPF and Kprobe Tracing Detection
2 |
3 | ## Description
4 | Detects the use of BPF (Berkeley Packet Filter) and kprobes with potentially unsafe or enabled tracing configurations. These tools are powerful for system monitoring and debugging but can also be misused for malicious purposes, such as extracting sensitive information or manipulating system behavior.
5 |
6 | - Source: [Sigma rule for detecting BPF and kprobe tracing](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml)
7 |
8 | ## Detection Logic
9 | - Monitors process command lines for specific patterns indicating the use of BPF and kprobes with potentially risky configurations:
10 | - `bpftrace` with the `--unsafe` flag, which allows BPF trace scripts to perform potentially unsafe operations.
11 | - `kprobes` with `enable`, indicating kprobe tracing is enabled.
12 |
13 | ## Tags
14 | - BPF
15 | - Kprobes
16 | - Tracing Detection
17 | - Process Events
18 | - Linux
19 |
20 | ## Search Query
21 | ```kql
22 | DeviceProcessEvents
23 | | where ProcessCommandLine has_all ("bpftrace", "--unsafe") or ProcessCommandLine has_all ("kprobes", "enable")
24 |
--------------------------------------------------------------------------------
/Linux/Base64Shebang.md:
--------------------------------------------------------------------------------
1 | # Rule: Base64 Encoded Shebang Detection
2 |
3 | ## Description
4 | Identifies potential malicious scripts by detecting processes with Base64 encoded shebang lines in their command lines. Shebang lines are typically used to specify the script interpreter, and encoding them in Base64 can indicate attempts to obfuscate malicious activity.
5 |
6 | - Source: [Sigma rule for detecting Base64 encoded shebang lines in Linux](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
7 |
8 | ## Detection Logic
9 | - Monitors process command lines for Base64 encoded shebang lines, which are indicative of script obfuscation. Specifically, it looks for:
10 | - `IyEvYmluL2Jhc2` (Base64 for `#!/bin/bash`)
11 | - `IyEvYmluL2Rhc2` (Base64 for `#!/bin/dash`)
12 | - `IyEvYmluL3pza` (Base64 for `#!/bin/zsh`)
13 | - `IyEvYmluL2Zpc2;IyEvYmluL3No` (Base64 for `#!/bin/fish` and `#!/bin/sh`)
14 |
15 | ## Tags
16 | - Base64 Encoding
17 | - Shebang Detection
18 | - Process Events
19 | - Linux
20 |
21 | ## Search Query
22 | ```kql
23 | DeviceProcessEvents
24 | | where ProcessCommandLine has_any ("IyEvYmluL2Jhc2", "IyEvYmluL2Rhc2", "IyEvYmluL3pza", "IyEvYmluL2Zpc2;IyEvYmluL3No")
25 |
--------------------------------------------------------------------------------
/Linux/ChattrImmutableRemoval.md:
--------------------------------------------------------------------------------
1 | # Rule : Immutable Attribute Removal Detection
2 |
3 | ## Description
4 | Detects the use of the `chattr` command with the `-i` flag, which is used to remove the immutable attribute from files on Linux systems. The immutable attribute prevents a file from being modified or deleted, and its removal could indicate an attempt to tamper with critical system files or logs.
5 |
6 | - Source: [Sigma rule for detecting immutable attribute removal](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml)
7 |
8 | ## Detection Logic
9 | - Monitors process events where the `chattr` command is used with the `-i` flag, indicating an attempt to remove the immutable attribute from a file.
10 |
11 | ## Tags
12 | - Immutable Attribute
13 | - File Tampering
14 | - Process Events
15 | - Linux
16 |
17 | ## Search Query
18 | ```kql
19 | DeviceProcessEvents
20 | | where ProcessCommandLine has_all ("chattr", "-i")
21 |
--------------------------------------------------------------------------------
/Linux/CryptoMiningDetection.kql:
--------------------------------------------------------------------------------
1 | # Rule : Crypto Mining Detection
2 |
3 | ## Description
4 | Detects potential cryptocurrency mining activities by monitoring process command lines for common indicators associated with mining software. Cryptocurrency mining on compromised systems can lead to degraded performance, increased power consumption, and potential hardware damage.
5 |
6 | - Source: [Sigma rule for detecting cryptocurrency mining](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml)
7 |
8 | ## Detection Logic
9 | - Monitors process events for command lines containing common parameters and commands used by cryptocurrency mining software, such as:
10 | - `--cpu-priority=`
11 | - `--donate-level=0`
12 | - `-o pool.`
13 | - `--nicehash`
14 | - `--algo=rx/0`
15 | - `stratum+tcp://`
16 | - `stratum+udp://`
17 | - `sh -c /sbin/modprobe msr allow_writes=on`
18 | - Encoded strings associated with mining configurations and commands.
19 |
20 | ## Tags
21 | - Cryptocurrency Mining
22 | - Process Events
23 | - Linux
24 |
25 | ## Search Query
26 | ```kql
27 | DeviceProcessEvents
28 | | where ProcessCommandLine has_any (
29 | "--cpu-priority=",
30 | "--donate-level=0",
31 | " -o pool.",
32 | " --nicehash",
33 | " --algo=rx/0 ",
34 | "stratum+tcp://",
35 | "stratum+udp://",
36 | "sh -c /sbin/modprobe msr allow_writes=on",
37 | "LS1kb25hdGUtbGV2ZWw9",
38 | "0tZG9uYXRlLWxldmVsP",
39 | "tLWRvbmF0ZS1sZXZlbD",
40 | "c3RyYXR1bSt0Y3A6Ly",
41 | "N0cmF0dW0rdGNwOi8v",
42 | "zdHJhdHVtK3RjcDovL",
43 | "c3RyYXR1bSt1ZHA6Ly",
44 | "N0cmF0dW0rdWRwOi8v",
45 | "zdHJhdHVtK3VkcDovL"
46 | )
47 |
--------------------------------------------------------------------------------
/Linux/DoasConfFileCreation.md:
--------------------------------------------------------------------------------
1 | # Rule: Detection of Unauthorized Creation of doas.conf File
2 |
3 | ## Description
4 | This detection rule identifies attempts to create the `doas.conf` file on Linux systems. The `doas.conf` file is used by the `doas` command to provide a minimalistic alternative to `sudo` for privilege escalation. Unauthorized creation of this file could indicate malicious activity, such as an attempt to configure `doas` settings to gain elevated privileges.
5 |
6 | This rule monitors for the creation of the `doas.conf` file, which is not typically created during standard operations. The presence of this file may indicate an attempt to set up unauthorized privilege escalation on the system.
7 |
8 | - [Detection Rule: Creation of Suspicious doas.conf File](https://research.splunk.com/endpoint/f6343e86-6e09-11ec-9376-acde48001122/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceFileEvents` for events where:
12 | - The `ActionType` is "FileCreated", and
13 | - The `FileName` ends with "doas.conf".
14 |
15 | ## Tags
16 | - File Events
17 | - Privilege Escalation
18 | - doas
19 | - Linux Security
20 | - Suspicious Activity
21 |
22 | ## Search Query
23 | ```kql
24 | DeviceFileEvents
25 | | where ActionType == "FileCreated"
26 | | where FileName endswith "doas.conf"
27 |
--------------------------------------------------------------------------------
/Linux/Getcapdetection.md:
--------------------------------------------------------------------------------
1 | # Rule : Capability Discovery via getcap
2 |
3 | ## Description
4 | Detects the use of the `getcap` command, which is used to query the capabilities of executables on Linux systems. Capabilities can grant elevated privileges to executables, and discovering these capabilities can be part of an attacker's reconnaissance phase. This detection specifically excludes instances where `getcap` is run by the `vmtoolsd` service.
5 |
6 | - Source: [Sigma rule for detecting capability discovery](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml)
7 |
8 | ## Detection Logic
9 | - Monitors for process events where the executed file name is `getcap`.
10 | - Excludes events where the initiating process folder path is `/usr/bin/vmtoolsd`, which is typically a legitimate use case associated with VMware Tools.
11 |
12 | ## Tags
13 | - Capability Discovery
14 | - getcap
15 | - Process Events
16 | - Linux
17 |
18 | ## Search Query
19 | ```kql
20 | DeviceProcessEvents
21 | | where FileName == "getcap" and InitiatingProcessFolderPath != "/usr/bin/vmtoolsd"
22 |
--------------------------------------------------------------------------------
/Linux/Linuxwebshell.md:
--------------------------------------------------------------------------------
1 | # Rule: Linux Webshell Indicators
2 |
3 | ## Description
4 | Detects potential webshell activity by monitoring process events where suspicious processes associated with web servers and common system administration tools are executed.
5 |
6 | - Source: [Sigma rule for Linux webshell detection](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml)
7 |
8 | ## Detection Logic
9 | - Filters events to include process executions where:
10 | - Initiating process filenames include common web server executables (`httpd`, `lighttpd`, `nginx`, `apache2`, `node`, `caddy`).
11 | - Executed file names include common system administration tools (`whoami`, `ifconfig`, `ip`, `uname`, `cat`, `crontab`, `hostname`, `iptables`, `netstat`, `pwd`, `route`).
12 | - Excludes events where:
13 | - The initiating process filename is `calico-node`.
14 | - The process command line includes `cat /proc/cpuinfo`.
15 |
16 | ## Tags
17 | - Webshell Detection
18 | - Process Events
19 | - Linux
20 |
21 | ## Search Query
22 | ```kql
23 | DeviceProcessEvents
24 | | where InitiatingProcessFileName has_any ("httpd", "lighttpd", "nginx", "apache2", "node", "caddy")
25 | | where FileName has_any ("whoami", "ifconfig", "ip", "uname", "cat", "crontab", "hostname", "iptables", "netstat", "pwd", "route")
26 | | where InitiatingProcessFileName !contains "calico-node"
27 | | where ProcessCommandLine !contains "cat /proc/cpuinfo"
28 |
--------------------------------------------------------------------------------
/Linux/PtraceDetected.md:
--------------------------------------------------------------------------------
1 | # Rule: Detection of Ptrace System Call (PTraceDetected)
2 |
3 | ## Description
4 | This detection rule identifies the usage of the `ptrace` system call on Linux systems. The `ptrace` system call is used by debuggers and other programs to observe and control the execution of another process. While `ptrace` is a legitimate tool, it can also be misused by attackers for various malicious activities such as process injection, code execution, and obtaining sensitive information from other processes.
5 |
6 | This rule monitors for events where the `ptrace` system call is detected. Unauthorized use of `ptrace` can indicate attempts to hijack or manipulate running processes.
7 |
8 | - [MITRE ATT&CK Technique T1055.008: Process Injection - Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceEvents` for events where:
12 | - The `ActionType` is "PTraceDetected".
13 |
14 | ## Tags
15 | - Process Injection
16 | - ptrace
17 | - Linux Security
18 | - Suspicious Activity
19 | - MITRE T1055.008
20 |
21 | ## Search Query
22 | ```kql
23 | DeviceEvents
24 | | where ActionType == "PTraceDetected"
25 |
26 |
--------------------------------------------------------------------------------
/Linux/ShadowFileModified.md:
--------------------------------------------------------------------------------
1 | # Rule: Detection of Unauthorized Renaming of /etc/shadow
2 |
3 | ## Description
4 | This detection rule identifies attempts to rename the `/etc/shadow` file on Linux systems. The `/etc/shadow` file contains hashed passwords for user accounts and should never be renamed during normal operations. Unauthorized renaming of this file could indicate malicious activity, such as an attempt to hide unauthorized changes to user passwords.
5 |
6 | This rule monitors for Linux shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.
7 |
8 | - [Elastic Detection Rule on Persistence via User Password Change](https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_user_password_change.toml)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceFileEvents` for events where:
12 | - The `ActionType` contains "FileRenamed", and
13 | - The `FileName` is `/etc/shadow`.
14 |
15 | ## Tags
16 | - File Events
17 | - Persistence
18 | - User Password Change
19 | - /etc/shadow
20 | - Linux Security
21 | - Suspicious Activity
22 |
23 | ## Search Query
24 | ```kql
25 | DeviceFileEvents
26 | | where ActionType contains "FileRenamed"
27 | | where FileName == @"/etc/shadow"
28 |
--------------------------------------------------------------------------------
/Linux/ShadowPasswdcopytosuspiciouslocation.md:
--------------------------------------------------------------------------------
1 | # Rule : Sensitive File Copy to /tmp Directory
2 |
3 | ## Description
4 | Detects attempts to copy sensitive system files, such as `shadow` and `passwd`, to the `/tmp` directory using the `cp` command. These files contain critical information about user accounts and passwords, and copying them to a temporary directory may indicate malicious intent to exfiltrate or manipulate sensitive data.
5 |
6 | - Source: [Sigma rule for detecting copying of sensitive files to /tmp](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml)
7 |
8 | ## Detection Logic
9 | - Monitors process events where the executed file name is `cp`.
10 | - Filters for instances where the process command line contains `/tmp` and includes either `shadow` or `passwd`, indicating an attempt to copy these sensitive files to the `/tmp` directory.
11 |
12 | ## Tags
13 | - Sensitive File Copy
14 | - Shadow File
15 | - Passwd File
16 | - Process Events
17 | - Linux
18 |
19 | ## Search Query
20 | ```kql
21 | DeviceProcessEvents
22 | | where FileName == "cp" and ProcessCommandLine contains "/tmp" and ProcessCommandLine has_any ("shadow", "passwd")
23 |
--------------------------------------------------------------------------------
/Linux/Sudoers.dFileCreation.md:
--------------------------------------------------------------------------------
1 | # Rule: Detection of Unauthorized Creation of Files in /etc/sudoers.d/
2 |
3 | ## Description
4 | This detection rule identifies attempts to create files in the `/etc/sudoers.d/` directory on Linux systems. The `/etc/sudoers.d/` directory is used to include additional sudoers configuration files. Unauthorized creation of files in this directory could indicate an attempt to escalate privileges or gain unauthorized access by adding malicious sudoers configurations.
5 |
6 | This rule monitors for file creation events in the `/etc/sudoers.d/` directory. Such activity is not typically seen during standard operations and may indicate malicious intent to modify sudo privileges.
7 |
8 | - [Sigma Rule: Persistence via Sudoers File](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceFileEvents` for events where:
12 | - The `ActionType` is "FileCreated", and
13 | - The `FolderPath` contains `/etc/sudoers.d/`.
14 |
15 | ## Tags
16 | - File Events
17 | - Privilege Escalation
18 | - sudoers
19 | - Linux Security
20 | - Suspicious Activity
21 |
22 | ## Search Query
23 | ```kql
24 | DeviceFileEvents
25 | | where ActionType == "FileCreated"
26 | | where FolderPath contains "/etc/sudoers.d/"
27 |
--------------------------------------------------------------------------------
/Linux/SudoersFileEnumeration.md:
--------------------------------------------------------------------------------
1 | # Rule : Sudoers File Access Detection
2 |
3 | ## Description
4 | Detects attempts to read the `sudoers` file using common text viewing and searching commands. The `sudoers` file controls user privileges and its unauthorized access may indicate attempts to gain elevated privileges or gather sensitive information about system configurations.
5 |
6 | - Source: [Sigma rule for detecting access to sudoers file](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml)
7 |
8 | ## Detection Logic
9 | - Monitors process events where the executed file name is one of the following text viewing and searching commands: `cat`, `grep`, `head`, `tail`, `more`.
10 | - Filters for instances where the process command line contains the term `sudoers`, indicating an attempt to access the sudoers file.
11 |
12 | ## Tags
13 | - Sudoers File Access
14 | - Privilege Escalation
15 | - Process Events
16 | - Linux
17 |
18 | ## Search Query
19 | ```kql
20 | DeviceProcessEvents
21 | | where FileName in ('cat', 'grep', 'head', 'tail', 'more')
22 | | where ProcessCommandLine contains "sudoers"
23 |
--------------------------------------------------------------------------------
/Linux/TripleCrosseBPFRootkit.md:
--------------------------------------------------------------------------------
1 | # Rule: Detection of Suspicious File Creation Related to TripleCrosse eBPF Backdoor
2 |
3 | ## Description
4 | This detection rule identifies the creation of suspicious files named "ebpfbackdoor" or "rootlog" on Linux systems. These files are associated with malicious activities, such as the installation of rootkits or backdoors. The creation of such files can indicate an attempt to establish persistence or hide unauthorized activities on the system.
5 |
6 | This rule monitors for the creation of files with names indicative of known malicious tools, focusing on files that are not typically present in legitimate environments.
7 |
8 | - [Sigma Rule: TripleCross Rootkit Lock File](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml)
9 | - [Sigma Rule: TripleCross Rootkit Persistence](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml)
10 |
11 | ## Detection Logic
12 | - Monitors `DeviceFileEvents` for events where:
13 | - The `ActionType` is "FileCreated".
14 | - The `FileName` contains "ebpfbackdoor" or "rootlog".
15 |
16 | ## Tags
17 | - File Events
18 | - Persistence
19 | - Rootkit
20 | - eBPF Backdoor
21 | - Linux Security
22 | - Suspicious Activity
23 |
24 | ## Search Query
25 | ```kql
26 | DeviceFileEvents
27 | | where ActionType == "FileCreated"
28 | | where FileName contains "ebpfbackdoor" or FileName contains "rootlog"
29 |
--------------------------------------------------------------------------------
/Linux/XclipExecutions.kql:
--------------------------------------------------------------------------------
1 | # Rule : Clipboard Data Collection via xclip
2 |
3 | ## Description
4 | Detects the use of the `xclip` command to access clipboard data. The `xclip` utility is used to manipulate the X11 clipboard, and its usage with specific flags can indicate attempts to capture clipboard contents, which may include sensitive information such as passwords or other confidential data.
5 |
6 | - Source: [Sigma rule for detecting clipboard collection](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml)
7 |
8 | ## Detection Logic
9 | - Monitors process events where the executed file name contains `xclip`.
10 | - Filters for instances where the process command line includes the terms `sel` and `clip`, indicating an attempt to access or manipulate clipboard data.
11 |
12 | ## Tags
13 | - Clipboard Collection
14 | - xclip
15 | - Process Events
16 | - Linux
17 |
18 | ## Search Query
19 | ```kql
20 | DeviceProcessEvents
21 | | where FileName contains "xclip" and ProcessCommandLine has_all("sel", "clip")
22 |
--------------------------------------------------------------------------------
/Linux/ectprofilesuspiciousscripts.md:
--------------------------------------------------------------------------------
1 | # Rule: Detection of Suspicious Shell Scripts in Profile Directory
2 |
3 | ## Description
4 | This detection rule identifies suspicious shell scripts located in the `/etc/profile.d/` directory on Linux systems. Shell scripts in this directory are typically used to configure the environment for all users on the system. The presence of unusual or unauthorized shell scripts may indicate persistence attempts by attackers, aiming to execute malicious code during user logins or system startup.
5 |
6 | This rule monitors for the creation or modification of shell scripts in the `/etc/profile.d/` directory, excluding scripts initiated by the `platform-python3.6` process, which is generally considered benign.
7 |
8 | - [Sigma Rule: Suspicious Shell Script in Profile Directory](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceFileEvents` for events where:
12 | - The `FileName` ends with ".sh", ".zsh", or ".csh".
13 | - The `InitiatingProcessFileName` is not "platform-python3.6".
14 | - The `FolderPath` contains "/etc/profile.d/".
15 |
16 | ## Tags
17 | - File Events
18 | - Persistence
19 | - Shell Script
20 | - Profile Directory
21 | - Linux Security
22 | - Suspicious Activity
23 |
24 | ## Search Query
25 | ```kql
26 | DeviceFileEvents
27 | | where FileName endswith ".sh" or FileName endswith ".zsh" or FileName endswith ".
28 |
--------------------------------------------------------------------------------
/MacOS/CredentialAccessBuiltin.KQL:
--------------------------------------------------------------------------------
1 | tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where FileName has_any ("defaults","mkpassdb") and ProcessCommandLine has_any ("ShadowHashData", "dump")
6 | References:
7 | https://github.com/elastic/detection-rules/blob/e9baebc2bc18f90ae16501613cd9521a16a38ad7/rules/macos/credential_access_dumping_hashes_bi_cmds.toml
8 |
9 |
--------------------------------------------------------------------------------
/MacOS/NetworkSetupProxy.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where FileName == @"networksetup" and ProcessCommandLine has_any ("setwebproxy","setsecurewebproxy","setautoproxyurl")
6 |
7 | References:
8 | https://github.com/elastic/detection-rules/blob/e9baebc2bc18f90ae16501613cd9521a16a38ad7/rules/macos/credential_access_mitm_localhost_webproxy.toml
9 |
--------------------------------------------------------------------------------
/MacOS/PasswordStores.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents, DeviceInfo
5 | | where OSPlatform == "macOS" and ProcessCommandLine has_any ("/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", "/Users/*/Library/Cookies*",
6 | "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db",
7 | "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", "Login Data","Cookies.binarycookies", "key4.db", "key3.db", "logins.json", "cookies.sqlite")
8 |
9 | ChatGPT generated Query:
10 | DeviceProcessEvents
11 | | where ProcessCommandLine matches regex @"(.*\/Users\/[^/]+\/Library\/Application Support\/Google\/Chrome\/Default\/Login Data|.*\/Users\/[^/]+\/Library\/Application Support\/Google\/Chrome\/Default\/Cookies|.*\/Users\/[^/]+\/Library\/Cookies.*|.*\/Users\/[^/]+\/Library\/Application Support\/Firefox\/Profiles\/.*\.default\/cookies\.sqlite|.*\/Users\/[^/]+\/Library\/Application Support\/Firefox\/Profiles\/.*\.default\/key.*\.db|.*\/Users\/[^/]+\/Library\/Application Support\/Firefox\/Profiles\/.*\.default\/logins\.json|Login Data|Cookies\.binarycookies|key4\.db|key3\.db|logins\.json|cookies\.sqlite)"
12 |
13 |
14 | References:
15 |
16 |
--------------------------------------------------------------------------------
/MacOS/SQlite3TCC.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where FileName contains "sqlite" and ProcessCommandLine contains "com.apple.TCC/TCC.db"
6 |
7 | Reference:
8 | https://www.loobins.io/binaries/sqlite3/
9 | https://github.com/elastic/detection-rules/blob/e9baebc2bc18f90ae16501613cd9521a16a38ad7/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
10 |
--------------------------------------------------------------------------------
/MacOS/chainbreaker.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceFileEvents
5 | | where FolderPath contains @"/private/var/db/SystemKey"
6 |
--------------------------------------------------------------------------------
/MacOS/copytmptousers.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 |
5 | union DeviceFileEvents, DeviceProcessEvents
6 | | where Timestamp >= ago(7d)
7 | | where FileName == "cp"
8 | and ProcessCommandLine contains "Users"
9 | and ProcessCommandLine contains "tmp"
10 | and FileName != "vpndownloader"
11 | and ProcessCommandLine !contains "generic/kernel/drivers/regulator/userspace-consumer.ko"
12 | and ProcessCommandLine != "/bin/cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old"
13 | and InitiatingProcessCommandLine !contains "Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework"
14 |
15 |
16 | Resoruces:
17 |
--------------------------------------------------------------------------------
/MacOS/libraryexecutions.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 |
5 | union DeviceProcessEvents
6 | | where Timestamp >= ago(7d)
7 | | where InitiatingProcessCommandLine contains @"/Library/Scripts"
8 |
9 | References:
10 |
--------------------------------------------------------------------------------
/MacOS/osascriptpassword.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 |
5 | DeviceProcessEvents
6 | | where ProcessCommandLine has_all ("osascript", "dialog", "password")
7 |
8 | References:
9 |
10 |
--------------------------------------------------------------------------------
/MacOS/tempexecutions.kql:
--------------------------------------------------------------------------------
1 | union DeviceProcessEvents
2 | | where Timestamp >= ago(7d)
3 | | where InitiatingProcessCommandLine has "/tmp/"
4 |
--------------------------------------------------------------------------------
/MacOS/useraddedtolocaladmin:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where FileName has_any ("dscl", "dseditgroup")
6 | | where ProcessCommandLine contains "admin" and ProcessCommandLine has_any ("-a","-append")
7 | | where InitiatingProcessParentFileName != @"jamf" | where InitiatingProcessCommandLine !contains @"com.jamfsoftware"
8 |
9 | References:
10 |
--------------------------------------------------------------------------------
/Malja3fingerpints:
--------------------------------------------------------------------------------
1 | #Ja3Hashhttps://sslbl.abuse.ch/ja3-fingerprints/
2 | fc54e0d16d9764783542f0146a98b300
3 | 8515076cbbca9dce33151b798f782456
4 | 8916410db85077a5460817142dcbc8de
5 | fc2299d5b2964cd242c5a2c8c531a5f0
6 | c2b4710c6888a5d47befe865c8e6fb19
7 | 25d74b7b4b779eb1efd4b31d26d651c6
8 | a50a861119aceb0ccc74902e8fddb618
9 | ffefafdb86336d057eda5fdf02b3d5ce
10 | 70722097d1fe1d78d8c2164640ab6df4
11 | bffa4501966196d3d6e90cee1f88fc89
12 | 534ce2dbc413c68e908363b5df0ae5e0
13 | da949afd9bd6df820730f8f171584a71
14 | c0220cd64849a629397a9cb68f78a0ea
15 | 08a8a4e85b25ac42e1490bc85cfdb5ce
16 | 8f52d1ce303fb4a6515836aec3cc16b1
17 | 32926ca3e59f0413d0b98725454594f5
18 | dff8a0aa1c904aaea76c5bf624e88333
19 | d81d654effb94714a4086734fa0adad9
20 | 52c7396a501e4fecbdfa99c5408334ac
21 | c5deb9465d47232dd48772f9c4d14679
22 | 1aee0238942d453d679fc1e37a303387
23 | 807fca46d9d0cf63adf4e5e80e414bbe
24 | 70a04365be5bbd4653698bebeb43ce68
25 | 49ed2ef3f1321e5f044f1e71b0e6fdd5
26 | e7643725fcff971e3051fe0e47fc2c71
27 | 1fe4c7a3544eb27afec2adfb3a3dbf60
28 | f735bbc6b69723b9df7b0e7ef27872af
29 | 40adfd923eb82b89d8836ba37a19bca1
30 | 1aa7bf8b97e540ca5edd75f7b8384bfa
31 | 3cda52da4ade09f1f781ad2e82dcfa20
32 | 7dd50e112cd23734a310b90f6f44a7cd
33 | 1be3ecebe5aa9d3654e6e703d81f6928
34 | c5235d3a8b9934b7fbbd204d50bc058d
35 | e62a5f4d538cbf169c2af71bec2399b4
36 | d2935c58fe676744fecc8614ee5356c7
37 | decfb48a53789ebe081b88aabb58ee34
38 | 51c64c77e60f3980eea90869b68c58a8
39 | cb98a24ee4b9134448ffb5714fd870ac
40 | 34f14a69ad7009ca5863379218af17f3
41 | d76ee64fb7273733cbe455ac81c292e6
42 | 8f6c918dcb585ebbea05e2cc94530e3d
43 | 1d095e68489d3c535297cd8dffb06cb9
44 | f22bdd57e3a52de86cda40da2d84e83b
45 | fb58831f892190644fe44e25bc830b45
46 | 0cc1e84568e471aa1d62ad4158ade6b5
47 | 2092e1fffb45d7e4a19a57f9bc5e203a
48 | d18a4da84af59e1108862a39bae7c9d4
49 | a61299f9b501adcf680b9275d79d4ac6
50 | b386946a5a44d1ddcc843bc75336dfce
51 | 8991a387e4cc841740f25d6f5139f92d
52 | 3d89c0dfb1fa44911b8fa7523ef8dedb
53 | e330bca99c8a5256ae126a55c4c725c5
54 | 83e04bc58d402f9633983cbf22724b02
55 | b8f81673c0e1d29908346f3bab892b9b
56 | d551fafc4f40f1dec2bb45980bfa9492
57 | 29085f03f8e8a03f0b399c5c7cf0b0b8
58 | 51a7ad14509fd614c7bb3a50c4982b8c
59 | bc6c386f480ee97b9d9e52d472b772d8
60 | b13d01846ad7a14a70bf030a16775c78
61 | 698e36219f3979420fa2581b21dac7ec
62 | 1712287800ac91b34cadd5884ce85568
63 | 550dce18de1bb143e69d6dd9413b8355
64 | d7150af4514b868defb854db0f62a441
65 | df5c30e670dba99f9270ed36060cf054
66 | 35c0a31c481927f022a3b530255ac080
67 | 7dcce5b76c8b17472d024758970a406b
68 | 911479ac8a0813ed1241b3686ccdade9
69 | 03e186a7f83285e93341de478334006e
70 | 17fd49722f8d11f3d76dce84f8e099a7
71 | fb00055a1196aeea8d1bc609885ba953
72 | 098f55e27d8c4b0a590102cbdb3a5f3a
73 | e3b2ab1f9a56f2fb4c9248f2f41631fa
74 | 46efd49abcca8ea9baa932da68fdb529
75 | 4d7a28d6f2263ed61de88ca66eb011e3
76 | b2b61db7b9490a60d270ccb20b462826
77 | 92579701f145605e9edc0b01a901c6d5
78 | 7691297bcb20a41233fd0a0baa0a3628
79 | 16efcf0e00504ddfedde13bfea997952
80 | 1543a7c46633acf71e8401baccbd0568
81 | d6f04b5a910115f4b50ecec09d40a1df
82 | 93d056782d649deb51cda44ecb714bb0
83 | 5e573c9c9f8ba720ef9b18e9fce2e2f7
84 | 590a232d04d56409fab72e752a8a2634
85 | 849b04bdbd1d2b983f6e8a457e0632a8
86 | 9c2589e1c0e9f533a022c6205f9719e1
87 | 96eba628dcb2b47607192ba74a3b55ba
88 | 7c410ce832e848a3321432c9a82e972b
89 | c50f6a8b9173676b47ba6085bd0c6cee
90 | 906004246f3ba5e755b043c057254a29
91 | f6fd83a21f9f3c5f9ff7b5c63bbc179d
92 | 57f3642b4e37e28f5cbe3020c9331b4c
93 | 9f62c4f26b90d3d757bea609e82f2eaf
94 | b90bdbe961a648f0427db21aaa6ccb59
95 | c201b92f8b483fa388be174d6689f534
96 | fd80fa9c6120cdeea8520510f3c644ac
97 | 2d8794cb7b52b777bee2695e79c15760
98 |
--------------------------------------------------------------------------------
/Misc&reporting/InternetFacingDevices.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 |
4 | Query:
5 |
6 | DeviceInfo
7 | | where IsInternetFacing
8 | | extend parsed = parse_json(AdditionalFields)
9 | | where isnotempty(parsed.InternetFacingPublicScannedIp)
10 | | project DeviceName, parsed.InternetFacingLocalIp, parsed.InternetFacingPublicScannedIp
11 |
12 |
13 | References
14 |
15 |
16 |
--------------------------------------------------------------------------------
/Persistence/ForestBlizzardCustomProtocolHandler.kql:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Suspicious Registry Modification for Custom Protocol Handler (Windows)
2 |
3 | ## Description
4 | This detection rule aims to identify suspicious registry modifications associated with custom protocol handlers on Windows systems. Forest Blizzard, a threat actor group, has been known to utilize such techniques for persistence or to facilitate their malicious activities. Monitoring for these registry changes can help detect and mitigate potential threats.
5 |
6 | - [Detection.FYI on Registry Set for APT Forest Blizzard Custom Protocol Handler](https://detection.fyi/sigmahq/sigma/emerging-threats/2024/ta/forest-blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler/)
7 |
8 | ## Detection Logic
9 | - Monitors `DeviceRegistryEvents` for registry value set actions.
10 | - Filters for registry keys associated with custom protocol handlers, particularly those modified or created by the threat actor group.
11 |
12 | ## Tags
13 | - Persistence
14 | - Custom Protocol Handler
15 | - APT Forest Blizzard
16 |
17 | ## Search Query
18 | ```kql
19 | DeviceRegistryEvents
20 | | where ActionType == "RegistryValueSet"
21 | | where RegistryKey contains "\\Classes\\PROTOCOLS\\Handler"
22 | | where RegistryKey endswith "rogue"
23 |
--------------------------------------------------------------------------------
/Persistence/ServiceCreation.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 |
5 | DeviceProcessEvents
6 | | where ProcessVersionInfoFileDescription == @"Service Control Manager Configuration Tool" and InitiatingProcessVersionInfoCompanyName != "Cisco Systems, Inc."
7 | and ProcessCommandLine contains "path"
8 | | where InitiatingProcessVersionInfoProductName != @"Microsoft® Azure® AD Connect"
9 |
10 |
11 | References:
12 |
13 | False positives:
14 | This rule might generate false positives exclude the most noisy onces
15 |
--------------------------------------------------------------------------------
/Persistence/ServiceCreationIDE.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | IdentityDirectoryEvents
4 | | where ActionType contains "Service creation"
5 | | extend parsed = parse_json(AdditionalFields)
6 | | where parsed.ServiceCommand has_any ('comspec', 'btobto', 'psexe', 'powershell', 'cmd', 'systemroot' 'admin$')
7 |
8 | References:
9 |
10 | False positives:
11 |
--------------------------------------------------------------------------------
/Persistence/ServiceCreationRATools.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | DeviceEvents
4 | | where ActionType == 'ServiceInstalled'
5 | | extend parsed = parse_json(AdditionalFields)
6 | | where parsed.ServiceName has_any ("screenconnect","Radmin", "Splashtop", "Atera", "AmmyyAdmin", "jumpcloud", "GoToAssist", "anydesk")
7 | References:
8 |
--------------------------------------------------------------------------------
/Persistence/SuspiciousRunMRUentries.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of Suspicious RunMRU Registry Modifications Related to info Stealers
2 |
3 | ## Description
4 | This detection rule identifies suspicious modifications to the **RunMRU** registry key, which stores a history of commands executed via the Windows **Run Dialog** (`Win + R`). Adversaries, including those deploying **Lumma Stealer**, may use this technique to execute malicious commands, download payloads, or establish persistence by leveraging commonly abused executables like **PowerShell, cmd.exe, rundll32.exe, and pwsh**.
5 |
6 | As observed in **Lumma Stealer** campaigns, attackers may use **CAPTCHA-based evasion** techniques to distribute malware and execute commands that interact with malicious infrastructure via `iwr`, `https`, and `iex` in PowerShell. Monitoring changes to the **RunMRU** registry key helps detect malicious activity attempting to execute unauthorized commands or establish persistence through registry manipulation.
7 |
8 | - [Lumma Stealer Analysis - Medium](https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71)
9 |
10 | ## Detection Logic
11 | - **Monitors `DeviceRegistryEvents`** where:
12 | - The `RegistryKey` contains `"RunMRU"` (indicating execution history manipulation).
13 | - The `RegistryValueData` contains **potentially malicious command-line keywords**, such as:
14 | - `"powershell"` – PowerShell execution
15 | - `"pwsh"` – PowerShell Core execution
16 | - `"iwr"` – Invoke-WebRequest (used for downloading files)
17 | - `"https"` – Suspicious external network access
18 | - `"iex"` – Invoke-Expression (often abused in PowerShell attacks)
19 | - `"cmd.exe"` – Execution via the command prompt
20 | - `"rundll"` – DLL execution
21 |
22 | ## Tags
23 | - Malware Persistence
24 | - Registry Modification
25 | - Windows Run Dialog Abuse
26 | - Command Execution
27 | - Malicious Script Execution
28 | - Suspicious Activity
29 | - InfoStealers
30 |
31 | ## Search Query
32 | ```kql
33 | DeviceRegistryEvents
34 | | where RegistryKey contains "Runmru"
35 | | where RegistryValueData has_any("powershell", "iwr", "https", "iex", "cmd.exe", "rundll", "pwsh")
36 | ```
37 |
--------------------------------------------------------------------------------
/Persistence/WMIEventConsumer.KQL:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 |
5 | DeviceEvents | where ActionType == 'WmiBindEventFilterToConsumer'
6 | | where AdditionalFields !contains "SCM Event Log Filter" and AdditionalFields !contains "CCM_PolicyReplicationConsumer"
7 | | extend parsed = parse_json(AdditionalFields)
8 | | where parsed.Namespace == @"//./root/subscription" and parsed.PossibleCause !contains @"Win32_Processor" and parsed.Ess != @"DellCommandPowerManagerAlertEventFilter" and parsed.Ess != @"DellCommandPowerManagerPolicyChangeEventFilter"
9 |
10 | References:
11 |
--------------------------------------------------------------------------------
/Privilege Escalation/CVE-2024-35250.md:
--------------------------------------------------------------------------------
1 | # Rule : Potential CVE-2024-35250 Exploitation Activity
2 |
3 | ## Description
4 | Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
5 | This detection rule identifies potential exploitation attempts of (CVE-2024-35250) that could allow attackers to achieve privilege escalation. By abusing the image load mechanism, threat actors may attempt to load a malicious module in place of a legitimate one, bypassing security controls and escalating privileges on the target system.
6 |
7 | - [Detection.fyi: Image Load Exploit CVE-2024-35250 Privilege Escalation](https://detection.fyi/sigmahq/sigma/emerging-threats/2024/exploits/cve-2024-35250/image_load_exploit_cve_2024_35250_privilege_escalation/)
8 |
9 | ## Detection Logic
10 | - Monitors `DeviceImageLoadEvents` events for ksproxy.ax being loaded by a suspicious process
11 |
12 | ## Tags
13 | - Privilege Escalation
14 | - Image Load Exploit
15 | - CVE-2024-35250
16 | - Exploitation
17 | - Windows Security
18 | - Suspicious Activity
19 |
20 | ## Search Query
21 | ```kql
22 | DeviceImageLoadEvents
23 | | where FileName endswith @"ksproxy.ax"
24 | ```
25 |
26 |
27 | - **Exclusions:**
28 | you might need to excluded the following in your enviroment
29 | - Exclude events where the `FilenName` field starts with any of the following trusted system paths:
30 | - `C:\Program Files\`
31 | - `C:\Program Files (x86)\`
32 | - `C:\Windows\System32\`
33 | - `C:\Windows\SysWOW64\`
34 | - Exclude events where the `Image` field ends with any of the following known legitimate applications:
35 | - `\AppData\Local\Microsoft\Teams\current\Teams.exe`
36 | - `\AppData\Roaming\Zoom\bin\Zoom.exe`
37 | - `\AppData\Local\Mozilla Firefox\firefox.exe`
38 | - `\AppData\Local\Google\Chrome\Application\chrome.exe`
39 | - `\AppData\Local\Programs\Opera\opera.exe`
40 |
--------------------------------------------------------------------------------
/Privilege Escalation/Getsystem.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 |
5 | DeviceProcessEvents
6 | | where FileName ==@"cmd.exe" and ProcessCommandLine has_all ( "echo", "pipe")
7 |
8 | References:
9 |
--------------------------------------------------------------------------------
/Privilege Escalation/GetsystemelevationCSmetasploit.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of cmd.exe Echo Pipe Commands
2 |
3 | ## Description
4 | This detection rule identifies suspicious usage of the `cmd.exe` process executing commands that involve `echo` combined with a pipe (`|`). Attackers often use such techniques during post-exploitation to gain elevated privileges or to manipulate data streams on compromised systems. This method is associated with various offensive security activities, including the well-known `getsystem` technique for privilege escalation.
5 |
6 | Monitoring command-line activities that combine `echo` and piping is important for detecting attempts to modify or redirect output, potentially aiding in data exfiltration or system tampering.
7 |
8 | - [Red Canary: Detecting Getsystem and Offensive Security Techniques](https://redcanary.com/blog/threat-detection/getsystem-offsec/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceProcessEvents` for events where:
12 | - The `FileName` is `cmd.exe`, and
13 | - The `ProcessCommandLine` contains both `"echo"` and `"pipe"` operations.
14 |
15 | ## Tags
16 | - cmd.exe Monitoring
17 | - Privilege Escalation
18 | - Offensive Security Tools
19 | - Suspicious Command-Line Activity
20 | - Threat Detection
21 |
22 | ## Search Query
23 | ```kql
24 | DeviceProcessEvents
25 | | where FileName == @"cmd.exe" and ProcessCommandLine has_all("echo", "pipe")
26 |
--------------------------------------------------------------------------------
/Privilege Escalation/PrintspoolerElevation.kql:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Potential Privilege Escalation via CVE-2022-38028 (Windows)
2 |
3 | ## Description
4 | This detection rule identifies potential privilege escalation attempts on Windows systems via CVE-2022-38028. This vulnerability allows attackers to escalate privileges by exploiting specific processes and file paths. Monitoring for these patterns can help detect malicious activities aiming to exploit this CVE.
5 | - [Microsoft analyzing forest blizzards] (https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/)
6 | - [Elastic Security Guide on CVE-2022-38028](https://www.elastic.co/guide/en/security/current/potential-privilege-escalation-via-cve-2022-38028.html)
7 |
8 | ## Detection Logic
9 | - Monitors `DeviceFileEvents` for file creation events in specific directories associated with the CVE.
10 | - Filters for JavaScript files created in these directories, excluding those initiated by the legitimate `drvinst.exe` process.
11 |
12 | ## Tags
13 | - Privilege Escalation
14 | - CVE-2022-38028
15 |
16 | ## Search Query
17 | ```kql
18 | DeviceFileEvents
19 | | where ActionType == "FileCreated"
20 | | where FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\" or FolderPath startswith "C:\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf"
21 | | where FileName endswith ".js" or FileName == "MPDW-constraints.js"
22 | | where InitiatingProcessFileName != "drvinst.exe"
23 |
--------------------------------------------------------------------------------
/Privilege Escalation/UAC/ChangePKSLUITampering.kql:
--------------------------------------------------------------------------------
1 | Query:
2 | DeviceProcessEvents
3 | | where InitiatingProcessParentFileName =~ "slui.exe"
4 | | where InitiatingProcessFileName =~ "changepk.exe"
5 | | where ProcessIntegrityLevel == "High"
6 |
--------------------------------------------------------------------------------
/Privilege Escalation/UAC/Clipup.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 | Query:
3 | DeviceProcessEvents
4 | | where FileName ==@"Clipup.exe"
5 | References:
6 |
--------------------------------------------------------------------------------
/Privilege Escalation/UAC/DLLhostUAC.kql:
--------------------------------------------------------------------------------
1 | Tags:
2 |
3 | Query:
4 | DeviceProcessEvents
5 | | where InitiatingProcessFileName =~ "dllhost.exe"
6 | | where ProcessIntegrityLevel == "High"
7 | | where InitiatingProcessCommandLine has_any ("E9495B87-D950-4AB5-87A5-FF6D70BF3E90", "3E5FC7F9-9A51-4367-9063-A120244FBEC7", "D2E7041B-2927-42fb-8E9F-7CE93B6DC937")
8 |
9 | References:
10 |
--------------------------------------------------------------------------------
/Privilege Escalation/UAC/sdcltUAC.kql:
--------------------------------------------------------------------------------
1 | DeviceProcessEvents
2 | | where (FileName ==@"sdclt.exe" or ProcessVersionInfoOriginalFileName == @"sdclt.exe") and ProcessCommandLine contains "kickoffelev"
3 |
--------------------------------------------------------------------------------
/Privilege Escalation/applicationshimming.kql:
--------------------------------------------------------------------------------
1 | name: Privilege Escalation, Persistence T1546.011 Application shimming via sdbinst.exe
2 | description: Detects the usage of the utility sdbinst.exe that can set registry key for application shimming.
3 | references: https://attack.mitre.org/techniques/T1546/011/, https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
4 | tags: privilege_escalation, persistence, t1546.011
5 | search_query:
6 | (DeviceProcessEvents
7 | | where ProcessVersionInfoInternalFileName =~ "sdbinst.exe"
8 | | where not(ProcessCommandLine has_all ("-m","-bg")) | where ProcessCommandLine != @"""sdbinst.exe"" -mm"
9 | | where ProcessCommandLine !contains "iisexpressshim.sdb")
10 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
10 |
11 |
12 |
13 |
14 |
21 | [![Contributors][contributors-shield]][contributors-url]
22 | [![Forks][forks-shield]][forks-url]
23 | [![Stargazers][stars-shield]][stars-url]
24 | [![Issues][issues-shield]][issues-url]
25 | [![MIT License][license-shield]][license-url]
26 |
27 |
28 |
29 |
30 |
37 |
38 |
39 |
40 |
41 | ## About The Project
42 |
43 | This repository comprises Microsoft Defender Hunting queries. These queries have been developed using telemetry data provided by Defender ATP.This queries were used as Detection rules in production enviroment, They are a result of my own work and inspiration drawn from the contributions of the exceptional community members acknowledged below. Please don't hesitate to propose any additional queries for inclusion in this repository.
44 | ## Roadmap
45 |
46 | - [ ✅ ] Add detections based on ASR rules
47 | - [ ] Add detections based on windows API's logged
48 |
49 | See the [open issues](https://github.com/0xAnalyst/DefenderATPQueries/issues) for a full list of proposed features (and known issues).
50 |
51 |
52 |
53 |
54 |
55 | ## Contributing
56 |
57 | Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are **greatly appreciated**.
58 |
59 | If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".
60 |
61 |
62 | ## License
63 |
64 | Distributed under the MIT License. See `LICENSE.txt` for more information.
65 |
66 |
67 | ## Acknowledgments
68 |
69 | * []() https://github.com/SigmaHQ/sigma
70 | * []() https://github.com/FalconForceTeam/FalconFriday
71 | * []()https://detection.fyi/
72 | * []()https://github.com/elastic/detection-rules/tree/main/rules
73 |
74 |
75 |
76 |
77 |
78 | [contributors-shield]: https://img.shields.io/github/contributors/0xAnalyst/DefenderATPQueries.svg?style=for-the-badge
79 | [contributors-url]: https://github.com/0xAnalyst/DefenderATPQueries/graphs/contributors
80 | [forks-shield]: https://img.shields.io/github/forks/0xAnalyst/DefenderATPQueries.svg?style=for-the-badge
81 | [forks-url]: https://github.com/0xAnalyst/DefenderATPQueries/forks
82 | [stars-shield]: https://img.shields.io/github/stars/0xAnalyst/DefenderATPQueries.svg?style=for-the-badge
83 | [stars-url]: https://github.com/0xAnalyst/DefenderATPQueries/stargazers
84 | [issues-shield]: https://img.shields.io/github/issues/0xAnalyst/DefenderATPQueries.svg?style=for-the-badge
85 | [issues-url]: https://github.com/0xAnalyst/DefenderATPQueries/issues
86 | [license-shield]: https://img.shields.io/github/license/0xAnalyst/DefenderATPQueries.svg?style=for-the-badge
87 | [license-url]: https://github.com/0xAnalyst/DefenderATPQueries/blob/master/LICENSE
88 | [product-screenshot]: images/screenshot.png
89 | [Next.js]: https://img.shields.io/badge/next.js-000000?style=for-the-badge&logo=nextdotjs&logoColor=white
90 | [Next-url]: https://nextjs.org/
91 | [React.js]: https://img.shields.io/badge/React-20232A?style=for-the-badge&logo=react&logoColor=61DAFB
92 | [React-url]: https://reactjs.org/
93 | [Vue.js]: https://img.shields.io/badge/Vue.js-35495E?style=for-the-badge&logo=vuedotjs&logoColor=4FC08D
94 | [Vue-url]: https://vuejs.org/
95 | [Angular.io]: https://img.shields.io/badge/Angular-DD0031?style=for-the-badge&logo=angular&logoColor=white
96 | [Angular-url]: https://angular.io/
97 | [Svelte.dev]: https://img.shields.io/badge/Svelte-4A4A55?style=for-the-badge&logo=svelte&logoColor=FF3E00
98 | [Svelte-url]: https://svelte.dev/
99 | [Laravel.com]: https://img.shields.io/badge/Laravel-FF2D20?style=for-the-badge&logo=laravel&logoColor=white
100 | [Laravel-url]: https://laravel.com
101 | [Bootstrap.com]: https://img.shields.io/badge/Bootstrap-563D7C?style=for-the-badge&logo=bootstrap&logoColor=white
102 | [Bootstrap-url]: https://getbootstrap.com
103 | [JQuery.com]: https://img.shields.io/badge/jQuery-0769AD?style=for-the-badge&logo=jquery&logoColor=white
104 | [JQuery-url]: https://jquery.com
105 |
106 |
--------------------------------------------------------------------------------
/RedCanaryReport2024/ChromeloaderRegistryValueLargeSizeGeneric.kql:
--------------------------------------------------------------------------------
1 | DeviceRegistryEvents | where RegistryValueType =~ 'String' | where RegistryValueName != @"OnboardingInfo"
2 | | where strlen(RegistryValueData) > 5000
3 | | where InitiatingProcessFileName != @"mssense.exe"
4 |
--------------------------------------------------------------------------------
/RedCanaryReport2024/PossibleMaliciousBrowserExtensionLoaded.kql:
--------------------------------------------------------------------------------
1 | DeviceProcessEvents
2 | | where FileName has_any('chrome.exe','msedge.exe')
3 | and ProcessCommandLine contains "--load-extension"
4 |
--------------------------------------------------------------------------------
/RedCanaryReport2024/SecretsdumpExecution.KQL:
--------------------------------------------------------------------------------
1 | DeviceImageLoadEvents
2 | | where InitiatingProcessFileName contains "svchost.exe" and FileName contains "regsvc.dll" | where InitiatingProcessCommandLine != @"svchost.exe -k LocalService"
3 |
--------------------------------------------------------------------------------
/RedCanaryReport2024/SmashjackerAppinitDLLmodifcation.KQL:
--------------------------------------------------------------------------------
1 | DeviceProcessEvents
2 | | where ProcessVersionInfoFileDescription
3 | contains "Registry Console Tool" and ProcessCommandLine contains "AppInit_DLLs"
4 |
5 |
--------------------------------------------------------------------------------
/RedCanaryReport2024/Tarfilexecutions.kql:
--------------------------------------------------------------------------------
1 | DeviceProcessEvents | where ProcessCommandLine has_all ('tar', ' -xvf', ' -C')| where InitiatingProcessParentFileName != @"Cisco WebEx Start"
2 |
--------------------------------------------------------------------------------
/RedCanaryReport2024/WscriptInternetConnection.KQL:
--------------------------------------------------------------------------------
1 | DeviceNetworkEvents
2 | | where InitiatingProcessFileName contains "wscript.exe"| where RemoteIPType == @"Public" | where RemoteUrl !endswith @".entrust.net"
3 |
--------------------------------------------------------------------------------
/RedCanaryReport2024/YellowCockatooPowershellPersistence:
--------------------------------------------------------------------------------
1 | DeviceFileEvents
2 | | where InitiatingProcessFileName contains "powershell.exe"
3 | and FolderPath contains @"programs\startup"
4 |
--------------------------------------------------------------------------------
/Sentinel/Apt29.kql:
--------------------------------------------------------------------------------
1 | References:https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
2 | Use this Sentinel queries to hunt for apt29 teams phishing activity
3 |
4 | OfficeActivity
5 | | where UserId has_any ("msonlineservicesteam","mlcrosoftaccounts","msftonlineservices","msonlineteam","msftservice","noreplyteam","accounteam","teamsprotection","identityverification","msftprotection","accountsverification","azuresecuritycenter")
6 |
7 | OfficeActivity
8 | | where UserId endswith @"onmicrosoft.com" and UserId !endswith @"Yourdomain.onmicrosoft.com"
9 |
10 | Filter for false positives
11 |
--------------------------------------------------------------------------------
/Sentinel/DeviceLogonEvents/BurteForceSingleIPmultipledestinationswithin10minutes.md:
--------------------------------------------------------------------------------
1 | # Rule Documentation: Brute Force Logon Attempt from Single Source IP Across Multiple Devices
2 |
3 | ## Description
4 | This detection rule identifies a potential **brute force attack** originating from a single external IP address (`RemoteIP`) that has failed to log in across **multiple Windows devices** within a short period of time. This behavior is indicative of credential stuffing or brute force login attempts, where an attacker systematically tries different combinations of usernames and passwords to gain access.
5 |
6 | The detection is triggered when **10 or more failed logon attempts** occur from the **same Remote IP address** across **10 or more distinct devices** within a **10-minute window**. This type of activity could represent early-stage reconnaissance or lateral movement attempts after an initial foothold.
7 |
8 | This logic is based on the behavior described in Elastic’s prebuilt rule:
9 | - [Elastic Rule: Multiple Logon Failures from the Same Source IP](https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip)
10 |
11 | ## Detection Logic
12 | - **Source Table:** `DeviceLogonEvents`
13 | - **Filters Applied:**
14 | - `ActionType` is `"LogonFailed"`
15 | - `RemoteIP` is **not empty** and **not equal to localhost (`127.0.0.1`)**
16 | - **Aggregation Window:** 10 minutes
17 | - **Conditions:**
18 | - `FailedLogonCount >= 10`
19 | - `DistinctTargetDevices >= 10`
20 |
21 | ## Tags
22 | - Brute Force
23 | - Credential Access
24 | - Initial Access
25 | - Logon Failures
26 | - Suspicious Authentication Behavior
27 | - T1110
28 |
29 | ## Search Query
30 | ```kql
31 | DeviceLogonEvents
32 | | where ActionType == "LogonFailed" and isnotempty(RemoteIP)
33 | | where RemoteIP != @"127.0.0.1"
34 | | summarize
35 | FailedLogonCount = count(),
36 | DistinctTargetDevices = dcount(DeviceName),
37 | TargetDevices = make_set(DeviceName, 10),
38 | FirstSeen = min(Timestamp),
39 | LastSeen = max(Timestamp)
40 | by RemoteIP, bin(Timestamp, 10m)
41 | | where FailedLogonCount >= 10 and DistinctTargetDevices >= 10
42 | | project
43 | FirstSeen,
44 | LastSeen,
45 | RemoteIP,
46 | FailedLogonCount,
47 | DistinctTargetDevices,
48 | TargetDevices
49 | | order by FailedLogonCount desc
50 |
--------------------------------------------------------------------------------
/Sentinel/MFA/MFASuspicious.md:
--------------------------------------------------------------------------------
1 | # Rule : User Reported MFA Suspicious Activity
2 |
3 | ## Description
4 | This detection rule identifies and correlates suspicious user management activities within Azure Active Directory (AAD) audit logs with sign-in logs to provide a comprehensive overview of potential unauthorized access. This rule is particularly focused on operations that deviate from normal user management activities, such as those that are not associated with updating user profiles, and that contain terms indicative of reported activities.
5 |
6 | Azure AD provides functionality for reporting suspicious activity, helping administrators to investigate and mitigate potential security threats. This rule leverages similar principles by flagging and investigating user management operations that could indicate malicious intent, such as attempts to change user information after unauthorized access.
7 |
8 | By cross-referencing these user management events with corresponding sign-in logs, this rule helps to identify potentially compromised accounts and provides the necessary details, such as the IP address and the time of the related sign-in event, to facilitate a thorough investigation.
9 |
10 | - [Microsoft Tech Community on Reporting Suspicious Activity](https://techcommunity.microsoft.com/t5/microsoft-entra/report-suspicious-activity-preview/m-p/3751886)
11 |
12 | ## Detection Logic
13 | - Monitors `AuditLogs` for suspicious user management activities where:
14 | - The `Category` is `"UserManagement"`,
15 | - The `ActivityDisplayName` is not `"Update user"`,
16 | - The `OperationName` contains `"reported"`.
17 | - Correlates these activities with `SigninLogs` based on the username to include information such as IP addresses and timestamps of the associated sign-ins.
18 |
19 | ## Tags
20 | - User Management
21 | - Account Compromise
22 | - Azure Active Directory
23 | - Suspicious Activity
24 | - Audit Logs
25 | - Sign-In Logs
26 | - Security Investigation
27 |
28 | ## Search Query
29 | ```kql
30 | AuditLogs
31 | | where Category == "UserManagement"
32 | | where ActivityDisplayName <> "Update user"
33 | | where OperationName contains "reported"
34 | | extend username = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
35 | | join kind=inner (
36 | // Get sign-in logs that match the username
37 | SigninLogs
38 | | extend username = UserPrincipalName
39 | | project username, IPAddress, TimeGenerated
40 | ) on username
41 | | distinct TimeGenerated, username, ActivityDisplayName, OperationName, IPAddress
42 | ```
43 | Note:
44 | This might not report activities where IP addresses weren't in signinlogs. first part of the query can be used as a detection rule by itself
45 |
--------------------------------------------------------------------------------
/WindowsAPIDetections/GetAsyncKeyStateApiCallQuery.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of GetAsyncKeyState API Call
2 |
3 | ## Description
4 | This detection rule identifies suspicious usage of the `GetAsyncKeyState` API call. The `GetAsyncKeyState` function is used to determine whether a key is currently pressed or was pressed after a previous call to this function, which can be leveraged by keylogging malware to capture keystrokes. Legitimate software may use this function, but it is often exploited by malicious actors to monitor and capture user input, leading to unauthorized access to sensitive information. According to the MITRE ATT&CK framework, this technique falls under "Input Capture: Keylogging" (T1056.001).
5 |
6 | This rule helps detect and audit suspicious usage of `GetAsyncKeyState`, providing an early warning for potential keylogging activities.
7 |
8 | - [MITRE ATT&CK: Input Capture: Keylogging](https://attack.mitre.org/techniques/T1056/001/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceEvents` for events where:
12 | - The `ActionType` is "GetAsyncKeyStateApiCall".
13 | - The `InitiatingProcessVersionInfoFileDescription` is not "Adobe Acrobat".
14 | - The `InitiatingProcessVersionInfoProductName` is not "QuickTime".
15 | - The `InitiatingProcessVersionInfoCompanyName` is not "Adobe Systems Incorporated".
16 | - The `InitiatingProcessVersionInfoCompanyName` is not "MAXON Computer GmbH".
17 | - The `InitiatingProcessVersionInfoCompanyName` is not "Adobe".
18 |
19 | ## Tags
20 | - Keylogging
21 | - GetAsyncKeyState
22 | - Input Capture
23 | - API Call
24 | - MITRE ATT&CK T1056.001
25 | - Suspicious Activity
26 |
27 | ## Search Query
28 | ```kql
29 | DeviceEvents
30 | | where ActionType == "GetAsyncKeyStateApiCall"
31 | | where InitiatingProcessVersionInfoFileDescription != "Adobe Acrobat"
32 | | where InitiatingProcessVersionInfoProductName != "QuickTime"
33 | | where InitiatingProcessVersionInfoCompanyName != "Adobe Systems Incorporated"
34 | | where InitiatingProcessVersionInfoCompanyName != "MAXON Computer GmbH"
35 | | where InitiatingProcessVersionInfoCompanyName != "Adobe"
36 | ```
37 |
--------------------------------------------------------------------------------
/WindowsAPIDetections/NtMapViewOfSectionDetectionRule.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of NtMapViewOfSection Remote API Call
2 |
3 | ## Description
4 | This detection rule identifies suspicious usage of the `NtMapViewOfSection` function for remote API calls. The `NtMapViewOfSection` function allows a process to map a view of a section into its address space, which can be used for legitimate purposes but can also be exploited by malicious actors for process injection. This technique is often used to execute arbitrary code within the context of another process, potentially leading to unauthorized actions or evasion of security controls. According to the MITRE ATT&CK framework, this technique is categorized under "Process Injection" (T1055).
5 |
6 | This rule helps detect and audit suspicious usage of `NtMapViewOfSection`, providing an early warning for potential malicious activities involving process injection.
7 |
8 | - [MITRE ATT&CK: Process Injection](https://attack.mitre.org/techniques/T1055/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceEvents` for events where:
12 | - The `ActionType` includes "NtMapViewOfSectionRemoteApiCall".
13 | - The `FileName` is not "firefox.exe".
14 | - The `FileName` is not "MicrosoftEdgeCP.exe".
15 |
16 | ## Tags
17 | - Process Injection
18 | - NtMapViewOfSection
19 | - Remote API Call
20 | - MITRE ATT&CK T1055
21 | - Suspicious Activity
22 |
23 | ## Search Query
24 | ```kql
25 | DeviceEvents
26 | | where ActionType has_any('NtMapViewOfSectionRemoteApiCall')
27 | | where FileName != "firefox.exe" and FileName != "MicrosoftEdgeCP.exe"
28 | ```
29 |
--------------------------------------------------------------------------------
/WindowsAPIDetections/QueueUserApcRemoteApiCallDetectionRule.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of QueueUserAPC Remote API Call
2 |
3 | ## Description
4 | This detection rule identifies suspicious usage of the `QueueUserAPC` function for remote API calls. The `QueueUserAPC` function allows a program to specify a function to be called asynchronously in the context of a specified thread. While this is a legitimate function used by many applications, it can be exploited by malicious actors to execute arbitrary code in the context of another process, facilitating process injection and potentially leading to unauthorized actions or evasion of security controls. According to the MITRE ATT&CK framework, this technique is categorized under "Process Injection: Asynchronous Procedure Call (APC) Injection" (T1055.004).
5 |
6 | This rule helps detect and audit suspicious usage of `QueueUserAPC`, providing an early warning for potential malicious activities involving process injection.
7 |
8 | - [MITRE ATT&CK: Asynchronous Procedure Call (APC) Injection](https://attack.mitre.org/techniques/T1055/004/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceEvents` for events where:
12 | - The `ActionType` is "QueueUserApcRemoteApiCall".
13 | - The `InitiatingProcessCommandLine` is not `"svchost.exe -k netsvcs -p -s ShellHWDetection"`.
14 | - The `InitiatingProcessVersionInfoProductName` is not "Microsoft Edge Installer".
15 | - The `ProcessCommandLine` is not `"svchost.exe -k netsvcs -p -s Winmgmt"`.
16 |
17 | ## Tags
18 | - Process Injection
19 | - APC Injection
20 | - QueueUserAPC
21 | - Remote API Call
22 | - MITRE ATT&CK T1055.004
23 | - Suspicious Activity
24 |
25 | ## Search Query
26 | ```kql
27 | DeviceEvents
28 | | where ActionType == "QueueUserApcRemoteApiCall"
29 | | where InitiatingProcessCommandLine != "svchost.exe -k netsvcs -p -s ShellHWDetection"
30 | | where InitiatingProcessVersionInfoProductName != "Microsoft Edge Installer"
31 | | where ProcessCommandLine != "svchost.exe -k netsvcs -p -s Winmgmt"
32 | ```
33 |
--------------------------------------------------------------------------------
/WindowsAPIDetections/Readme.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # List all Available Windows API telemtry
4 | ```
5 | DeviceEvents
6 | | where ActionType contains "ApiCall"
7 | | summarize count() by ActionType
8 | | project ActionType
9 | ```
10 |
--------------------------------------------------------------------------------
/WindowsAPIDetections/SetThreadContextRemoteApiCallQuery.md:
--------------------------------------------------------------------------------
1 | # Rule : Detection of SetThreadContext Remote API Call
2 |
3 | ## Description
4 | This detection rule identifies suspicious usage of the `SetThreadContext` function for remote API calls. The `SetThreadContext` function is used to modify the context of a specified thread, which can be leveraged by malicious actors to inject code into another process's address space. This technique allows attackers to execute arbitrary code within the context of another process, potentially leading to unauthorized actions or evasion of security controls. According to the MITRE ATT&CK framework, this technique falls under "Process Injection: Thread Execution Hijacking" (T1055.003).
5 |
6 | This rule helps detect and audit suspicious usage of `SetThreadContext`, providing an early warning for potential malicious activities involving process injection.
7 |
8 | - [MITRE ATT&CK: Thread Execution Hijacking](https://attack.mitre.org/techniques/T1055/003/)
9 |
10 | ## Detection Logic
11 | - Monitors `DeviceEvents` for events where:
12 | - The `ActionType` is "SetThreadContextRemoteApiCall".
13 |
14 | ## Tags
15 | - Process Injection
16 | - SetThreadContext
17 | - Remote API Call
18 | - MITRE ATT&CK T1055.003
19 | - Suspicious Activity
20 |
21 | ## Search Query
22 | ```kql
23 | DeviceEvents
24 | | where ActionType == "SetThreadContextRemoteApiCall"
25 | ```
26 |
--------------------------------------------------------------------------------