├── Malware ├── Amadey - forfiles.exe Indirect Process Execution.md └── ClickFix - conhost.exe headless and wmic product install remote source.md ├── References └── Microsoft Defender Stack & KQL Resources.md ├── DFIR ├── OfficeActivity - SharePoint & OneDrive Accessed Files Breakdown.md ├── OfficeActivity - OfficeWorkload and Operations Summary from Flagged IPs.md ├── OfficeActivity x EmailEvents - Get Emails sent by Compromised Users.md ├── OfficeActivity x AuditLogs - Containment of Users with flagged IPs events.md └── OfficeActivity - MailItemsAccessed Breakdown.md ├── LICENSE ├── 100DaysOfKQL ├── Day 77 - Database Dump To Disk via sqlcmd.exe.md ├── Day 66 - Sysinternals Usage.md ├── Day 81 - Executable File or Script Fetched during Network Connection.md ├── Day 55 - Executable File With Short Numerical Name Observed.md ├── Day 85 - Command Line Spawned by Microsoft SQL Server.md ├── Day 68 - SSH Used For Reverse Tunnel on Windows.md ├── Day 88 - ESENTUTL Used to Copy a File.md ├── Day 96 - certutil.exe Used to Decode a File into a PE.md ├── Day 61 - SoftPerfect Network Scanner Usage.md ├── Day 80 - mshta.exe Executing Raw Script From Command Line.md ├── Day 78 - Sign-In Events From IP Address Associated With Malicious Domain.md ├── Day 51 - Command Execution Coming From Windows Remote Management.md ├── Day 93 - PowerShell IEX or Invoke-Expression.md ├── Day 89 - WmiPrvSE.exe Launching Command Executed Remotely.md ├── Day 84 - CLR DLLs Loaded by Process with Low Prevalence.md ├── Day 71 - cscript.exe or wscript.exe Launched with Script Engine Parameter.md ├── Day 3 - Split or Part Archive Files Events.md ├── Day 72 - New Service Principal Added Following Consent to Application.md ├── Day 64 - Emails With Company Name in Display Name Sent From Non-Company Domains.md ├── Day 91 - Large EXE or MSI File Observed in User Downloads Folder.md ├── Day 42 - nltest.exe Execution.md ├── Day 87 - Command Line Interpreter Launched as Service.md ├── Day 97 - PowerShell COM Interaction.md ├── Day 69 - Potential Terminal Server or TermService Tampering via RDPWrap.md ├── Day 74 - Consent to Application With Dangerous Delegated Permissions.md ├── Day 11 - Script Execution From User's Downloads Folder.md ├── Day 23 - Workstations with Public IP Assigned to Network Interface.md ├── Day 83 - Password Accessed By User in Google Chrome or Microsoft Edge.md ├── Day 15 - PowerShell Invoke-WebRequest, IWR or Net.WebClient.md ├── Day 79 - PowerShell Process Launching PowerShell Process with Encoded Command.md ├── Day 94 - Archive Created at the Root of a Drive.md ├── Day 48 - runas.exe Usage.md ├── Day 16 - Processes Launched by PowerShell Remoting (WSMProvHost.exe).md ├── Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process.md ├── Day 12 - Successful Sign-in to OfficeHome with ASN Enrichment.md ├── Day 10 - Virtual Drive Mounted From Archive.md ├── Day 92 - Low Prevalence Unsigned DLL Sideloaded in AppData Folder.md ├── Day 46 - Azure Subscription Ready Email.md ├── Day 98 - Execution from a Low Prevalence, Non-Signed or Invalidly Signed Binary from C:\Windows.md ├── Day 36 - 7-Zip or WinRAR Used With Password-Protected Archives.md ├── Day 76 - Cloudflared Usage.md ├── Day 47 - Credential Discovery Activity Through findstr.exe and reg.exe.md ├── Day 6 - Files Potentially Holding Sensitive Information (MDE).md ├── Day 14 - Potential Tunneled RDP Session.md ├── Day 19 - Summarized Defender for Endpoint AntivirusDetection By Endpoint.md ├── Day 63 - File Added to Startup Folder.md ├── Day 82 - File Downloaded from Uncommon TLD.md ├── Day 67 - Potential Discovery via PowerShell Test-Connection and Test-NetConnection.md ├── Day 62 - PortableApps Application Observed.md ├── Day 86 - Summarized Processes Launched by PowerShell or Command Line Scripts.md ├── Day 90 - Network Connection from MSBuild.exe with ASN Enrichment.md ├── Day 9 - Low Prevalence DLL Loaded From Process In User Downloads Folder.md ├── Day 8 - Silent cmd.exe Execution With Redirected STDERR & STDOUT.md ├── Day 33 - Suspicious String in Service Creation ImagePath.md ├── Day 57 - Non-Sucking Service Manager (nssm) Usage.md ├── Day 21 - Password of Newly Created User Used Through The CommandLine.md └── Day 27 - Network Connection From Python-related Process.md ├── Defender for Endpoint ├── DnsQueryResponse with Potential PowerShell Command.md ├── WBAdmin.exe - Sensitive File Dump or Collection.md ├── Windows Service Environment Registry Value Modification.md ├── Events Involving Folder or Path with Trailing Space.md ├── System Time Manipulation - Retrosigned Drivers EDR Bypass.md ├── ExternalData - Network Connection to Tycoon2FA Domain.md ├── Windows Service Masquerading as Per-User Service.md ├── Executable File Fetched via WebDAV From External Host.md ├── ExternalData - Network Connection to LOTS Project Domain.md ├── evil-winrm-py - File Upload and Download.md ├── Binary With Short-Lived Certificate Launched from Downloads Folder.md ├── Summarization of net.exe use from Batch Script.md └── Modification to a PowerShell Profile.md └── Microsoft Sentinel └── Potential secretsdump remoteSSMethod - SAM, SECURITY and SYSTEM Accessed Remotely.md /Malware/Amadey - forfiles.exe Indirect Process Execution.md: -------------------------------------------------------------------------------- 1 | # *Amadey - forfiles.exe Indirect Process Execution* 2 | 3 | ## Query Information 4 | 5 | Observed in October 2024, Amadey using forfiles.exe to call PowerShell.exe. 6 | 7 | #### MITRE ATT&CK Technique(s) 8 | 9 | | Technique ID | Title | Link | 10 | | --- | --- | --- | 11 | | T1202 | Indirect Command Execution | https://attack.mitre.org/techniques/T1202/ | 12 | 13 | #### Description 14 | 15 | This rule detects the use of forfiles.exe to spawn a PowerShell.exe command by Amadey. 16 | 17 | #### Risk 18 | 19 | A user just executed an Amadey payload (e.g.: .pdf.lnk file) 20 | 21 | #### Author 22 | - **Name:** SecurityAura 23 | - **Github:** https://github.com/SecurityAura 24 | - **Twitter:** https://x.com/SecurityAura 25 | - **LinkedIn:** Coming Soon! 26 | - **Website:** https://medium.com/@securityaura 27 | 28 | #### References 29 | - https://x.com/s1dhy/status/1847055133756072279 30 | 31 | ## Defender XDR 32 | ```KQL 33 | DeviceProcessEvents 34 | | where InitiatingProcessFileName =~ "forfiles.exe" 35 | | where FileName =~ "powershell.exe" 36 | ``` 37 | ## Microsoft Sentinel 38 | ```KQL 39 | DeviceProcessEvents 40 | | where InitiatingProcessFileName =~ "forfiles.exe" 41 | | where FileName =~ "powershell.exe" 42 | ``` 43 | -------------------------------------------------------------------------------- /References/Microsoft Defender Stack & KQL Resources.md: -------------------------------------------------------------------------------- 1 | # Description 2 | 3 | 2025/01/09 - Simple list of people who I know share a lot of Microsoft Defender stack-related content and/or KQL content. Trying to have a list of people to follow, but mostly their websites/blogs, that can be shared so that people can watch for new publications and learn about all the cool stuff that can be done with Defender/KQL. 4 | 5 | ## Defender Stack focused 6 | 7 | Ru Campbell - https://campbell.scot/ - @rucam365 8 | 9 | Nathan McNulty - https://blog.nathanmcnulty.com/ - @NathanMcNulty 10 | 11 | Jeffrey Appel - https://jeffreyappel.nl/ - @JeffreyAppel7 12 | 13 | Fabian Bader - https://cloudbrothers.info/en/ - @fabian_bader 14 | 15 | Thalpius - https://thalpius.com/ - None 16 | 17 | Alex Verboon - https://www.verboon.info/ - @alexverboon 18 | 19 | Michalis Michalos - https://www.michalos.net/ - @Cyb3rMik3 20 | 21 | ## KQL and others focused 22 | 23 | Bert Jan P - https://kqlquery.com/ - @BertJanCyber 24 | 25 | Mehmet Ergene - https://academy.bluraven.io/blog (previously https://posts.bluraven.io/)- @Cyb3rMonk 26 | 27 | Matt Zorich - https://learnsentinel.blog/ - @reprise_99 28 | 29 | Invictus IR - https://www.invictus-ir.com/news - @InvictusIR 30 | 31 | Dylan - https://attackthesoc.com/posts/ - @DylanInfosec 32 | 33 | Damien van der Linden - https://www.lindensec.com/ - @LindenSec 34 | -------------------------------------------------------------------------------- /DFIR/OfficeActivity - SharePoint & OneDrive Accessed Files Breakdown.md: -------------------------------------------------------------------------------- 1 | # *OfficeActivity - SharePoint & OneDrive Accessed Files Breakdown.md* 2 | 3 | ## Description 4 | 5 | The queries below can be used to obtain information about SharePoint/OneDrive OfficeWorkload events from flagged IP addresses. 6 | 7 | It'll give you a list of unique files, based on their path, that were involved in operations from the flagged IP addresses. You should assume that, depending on the Operation, or if you don't want to take any chance, all of them, that the content of every file listed in the results is not private anymore and has been accessed by an unauthorized third-party. 8 | 9 | ## Prerequisite(s) # 10 | 11 | A list of IP addresses that you identified as being malicious, suspicious and/or of interest. 12 | 13 | ## Microsoft Sentinel 14 | ### Query #1 - SharePoint/OneDrive files involved in Operations from flagged IPs. 15 | ```KQL 16 | let FlaggedIPs = dynamic([ 17 | "1.1.1.1", 18 | "2.2.2.2" 19 | ]); 20 | OfficeActivity 21 | | where OfficeWorkload in~ ("SharePoint","OneDrive") 22 | | summarize ["Operations"]=make_set(Operation), 23 | ["Number of Operations"]=dcount(Operation), 24 | ["SiteURLs"]=make_set(Site_Url), 25 | ["Number of SiteURLs"]=dcount(Site_Url), 26 | ["SourceFileNames"]=make_set(SourceFileName), 27 | ["Number of SourceFileNames"]=dcount(SourceFileName) 28 | by OfficeObjectId, UserId 29 | ``` 30 | -------------------------------------------------------------------------------- /DFIR/OfficeActivity - OfficeWorkload and Operations Summary from Flagged IPs.md: -------------------------------------------------------------------------------- 1 | # *OfficeActivity - OfficeWorkload and Operations Summary from Flagged IPs* 2 | 3 | ## Description 4 | 5 | The queries below can be used to obtain a summary of OfficeActivity Operations and their associated OfficeWorkload from the OfficeActivity table in Microsoft Sentinel. 6 | 7 | ## Prerequisite(s) # 8 | 9 | A list of IP addresses that you identified as being malicious, suspicious and/or of interest. 10 | 11 | ## Microsoft Sentinel 12 | ### Query #1 - Operations and RecordTypes summarization by OfficeWorkload 13 | ```KQL 14 | let FlaggedIPs = dynamic([ 15 | "1.1.1.1", 16 | "2.2.2.2" 17 | ]); 18 | OfficeActivity 19 | | where ClientIP has_any (FlaggedIPs) 20 | or Client_IPAddress has_any (FlaggedIPs) 21 | or ActorIpAddress has_any (FlaggedIPs) 22 | | summarize count(), 23 | ["Operations"]=make_set(Operation), 24 | ["Number of Operations"]=dcount(Operation), 25 | ["RecordTypes"]=make_set(RecordType), 26 | ["Number of RecordTypes"]=dcount(RecordType) 27 | by OfficeWorkload 28 | ``` 29 | ### Query #2 - Count of events per OfficeWorkload, Operation and UserId 30 | ```KQL 31 | let FlaggedIPs = dynamic([ 32 | "1.1.1.1", 33 | "2.2.2.2" 34 | ]); 35 | OfficeActivity 36 | | where ClientIP has_any (FlaggedIPs) 37 | or Client_IPAddress has_any (FlaggedIPs) 38 | or ActorIpAddress has_any (FlaggedIPs) 39 | | summarize count() by OfficeWorkload, Operation, UserId 40 | ``` 41 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2024, SecurityAura 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions are met: 7 | 8 | 1. Redistributions of source code must retain the above copyright notice, this 9 | list of conditions and the following disclaimer. 10 | 11 | 2. Redistributions in binary form must reproduce the above copyright notice, 12 | this list of conditions and the following disclaimer in the documentation 13 | and/or other materials provided with the distribution. 14 | 15 | 3. Neither the name of the copyright holder nor the names of its 16 | contributors may be used to endorse or promote products derived from 17 | this software without specific prior written permission. 18 | 19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 77 - Database Dump To Disk via sqlcmd.exe.md: -------------------------------------------------------------------------------- 1 | # *Database Dump To Disk via sqlcmd.exe* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/19 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1213 | Data from Information Repositories | https://attack.mitre.org/techniques/T1213/ | 17 | 18 | #### Description 19 | 20 | This query returns events where sqlcmd.exe is used to dump the content of a database (e.g.: tables) to files on disk. 21 | 22 | Threat Actors can use sqlcmd.exe to query/select all events in specific SQL Server tables and redirect the output to a file on disk. They can automate that process by querying the SQL Server for all databases, list the schemas and tables for the various databases and from there, dump all tables one by one. 23 | 24 | #### Author 25 | - **Name:** SecurityAura 26 | - **Github:** https://github.com/SecurityAura 27 | - **Twitter:** https://x.com/SecurityAura 28 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 29 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 30 | - **LinkedIn:** Coming Soon! 31 | - **Website:** https://medium.com/@securityaura 32 | 33 | ### Queries Overview ### 34 | 35 | - Defender for Endpoint (MDE) - 1 query 36 | 37 | ## Microsoft Defender XDR ## 38 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 39 | ```KQL 40 | DeviceProcessEvents 41 | | where FileName =~ "sqlcmd.exe" 42 | | where ProcessCommandLine has_all (" -Q ", " -o ") 43 | ``` 44 | ## Microsoft Sentinel ## 45 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 46 | ```KQL 47 | DeviceProcessEvents 48 | | where FileName =~ "sqlcmd.exe" 49 | | where ProcessCommandLine has_all (" -Q ", " -o ") 50 | ``` 51 | -------------------------------------------------------------------------------- /DFIR/OfficeActivity x EmailEvents - Get Emails sent by Compromised Users.md: -------------------------------------------------------------------------------- 1 | # *OfficeActivity x EmailEvents - Get Emails sent by Compromised Users.md* 2 | 3 | ## Description 4 | 5 | The queries below can be used to obtain a summary of all the emails that were sent by a user from a flagged IP address. 6 | 7 | ## Prerequisite(s) # 8 | 9 | - A list of IP addresses that you identified as being malicious, suspicious and/or of interest. 10 | - The auditing of the Send operation for the Exchange OfficeWorkload must be enabled 11 | 12 | ## Microsoft Sentinel 13 | ### Query #1 - Summary of emails sent from flagged Sent operations 14 | 15 | This query provides a summary of emails, per their InternetMessageIds, that were sent by Send operations coming from flagged IPs. 16 | 17 | The summarization provides you numbers on how many recipients have been targeted "Intra-org" and "Outbound" (external) by InternetMessageId and Subject. 18 | ```KQL 19 | let FlaggedIPs = dynamic([ 20 | "1.1.1.1", 21 | "2.2.2.2" 22 | ]); 23 | let InternetMessageIds = ( 24 | OfficeActivity 25 | | where ClientIP has_any (FlaggedIPs) 26 | or Client_IPAddress has_any (FlaggedIPs) 27 | or ActorIpAddress has_any (FlaggedIPs) 28 | | where Operation == "Send" 29 | | extend InternetMessageId = tostring(parse_json(Item).InternetMessageId) 30 | | distinct InternetMessageId 31 | ); 32 | EmailEvents 33 | | where InternetMessageId in~ (InternetMessageIds) 34 | | summarize ["ExternalRecipients"]=make_set_if(RecipientEmailAddress,EmailDirection =~ "Outbound"), 35 | ["InternalRecipients"]=make_set_if(RecipientEmailAddress,EmailDirection =~ "Intra-org") 36 | by InternetMessageId, Subject 37 | | extend ExternalRecipientsCount = array_length(ExternalRecipients) 38 | | extend InternalRecipientsCount = array_length(InternalRecipients) 39 | | extend SharedRecipients =set_intersect(ExternalRecipients,InternalRecipients) 40 | | extend SharedRecipientsCount=array_length(SharedRecipients) 41 | ``` 42 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 66 - Sysinternals Usage.md: -------------------------------------------------------------------------------- 1 | # *Sysinternals Usage* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/07 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | N/A | N/A | N/A | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I'm currently sick and fighting sleepiness as I post this. As usual, I'll enhance that page with more information when I get better/get back. For now, consider this as a hunting query. 21 | 22 | This query returns events where a Sysinternal utility/tool is used. 23 | 24 | PS: For more immediate context, Sysinternals tools can be (ab)used by threat actors in intrusion: PsExec to execute processes/commands, AdExplorer to "dump" the AD information, ProcDump to dump process memory, etc. Knowing which Sysinternals tools are used legitimately within your environment and how can help you spot the odd one out. 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### Queries Overview ### 36 | 37 | - Defender for Endpoint (MDE) - 1 query 38 | 39 | ## Microsoft Defender XDR ## 40 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 41 | ```KQL 42 | DeviceProcessEvents 43 | | where ProcessVersionInfoCompanyName has "Sysinternals" 44 | or ProcessVersionInfoProductName has "Sysinternals" 45 | ``` 46 | ## Microsoft Sentinel ## 47 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 48 | ```KQL 49 | DeviceProcessEvents 50 | | where ProcessVersionInfoCompanyName has "Sysinternals" 51 | or ProcessVersionInfoProductName has "Sysinternals" 52 | ``` 53 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 81 - Executable File or Script Fetched during Network Connection.md: -------------------------------------------------------------------------------- 1 | # *Executable File or Script Fetched during Network Connection* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/23 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1105 | Ingress Tool Transfer | https://attack.mitre.org/techniques/T1105/ | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I have to post this query quickly today. I'll comeback to it and update it with more information later on. 21 | 22 | This query returns events where a file or a script was fetched (or attempted to) during a network connection. 23 | 24 | Exploratory query that you can use to get events where an executable file or script (e.g.: EXE, DLL, PS1, CMD, BAT, etc.) was fetched (read: GET, downloaded, etc.) during a network connection by a system. Technically, only files fetched through HTTP should show up in the results. 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### Queries Overview ### 36 | 37 | - Defender for Endpoint (MDE) - 1 query 38 | 39 | ## Microsoft Defender XDR ## 40 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 41 | ```KQL 42 | DeviceNetworkEvents 43 | | where RemoteUrl matches regex @"(?i)\.(exe|msi|dll|ps1|cmd|bat|sys)$" 44 | | where RemoteUrl !has ".download.windowsupdate.com/" 45 | ``` 46 | ## Microsoft Sentinel ## 47 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 48 | ```KQL 49 | DeviceNetworkEvents 50 | | where RemoteUrl matches regex @"(?i)\.(exe|msi|dll|ps1|cmd|bat|sys)$" 51 | | where RemoteUrl !has ".download.windowsupdate.com/" 52 | ``` 53 | -------------------------------------------------------------------------------- /Defender for Endpoint/DnsQueryResponse with Potential PowerShell Command.md: -------------------------------------------------------------------------------- 1 | # *DnsQueryResponse with Potential PowerShell Command* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/07/18 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ | 16 | | T1071.004 | Application Layer Protocol: DNS | https://attack.mitre.org/techniques/T1071/004/ | 17 | 18 | #### Description 19 | 20 | This query looks for DnsQueryResponse events where the DnsQueryResult contains the "powershell" string, as tweeted by @1nt3l_hunt (on Twitter/X) on July 18, 2025. 21 | 22 | https://x.com/1nt3l_hunt/status/1946221664452166083 23 | 24 | This is a developping situation, though this query can serve as a base to start looking for these events in your Microsoft Defender XDR or Microsoft Sentinel. 25 | 26 | contains is used here instead of has since the "powershell" string may not be tokenized in certain TXT records, such as the one from tohknet[.]com 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### Queries Overview ### 38 | 39 | - Defender for Endpoint (MDE) - 1 query 40 | 41 | ## Microsoft Defender XDR ## 42 | ### Defender for Endpoint (MDE) via DeviceEvents ### 43 | ```KQL 44 | DeviceEvents 45 | | where ActionType == "DnsQueryResponse" 46 | | extend DnsQueryResult = tostring(parse_json(AdditionalFields).DnsQueryResult) 47 | | where DnsQueryResult contains "powershell" 48 | ``` 49 | ## Microsoft Sentinel ## 50 | ### Defender for Endpoint (MDE) DeviceEvents ### 51 | ```KQL 52 | DeviceEvents 53 | | where ActionType == "DnsQueryResponse" 54 | | where AdditionalFields.DnsQueryResult contains "powershell" 55 | ``` 56 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 55 - Executable File With Short Numerical Name Observed.md: -------------------------------------------------------------------------------- 1 | # *Executable File With Short Numerical Name Observed* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/02/24| Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1036 | Masqueraring | https://attack.mitre.org/techniques/T1036/ | 17 | 18 | #### Description 19 | 20 | This query returns events where an executable file, per its extension, with a short numerical name (less than 3 numbers) was observed. 21 | 22 | The query basically speaks for itself. It is not uncommon during incidents to see that threat actors dropped and/or leveraged binaries with extremely short numerical names: 1.exe, 2.ps1, def.bat, etc. 23 | 24 | Therefore, we're looking for file events involving files with executable extensions (common ones) whose name are 3 numbers or less (excluding the extension). You can add extensions as needed and even play with the number of characters to increment the minimum (4, 5, etc.) to see what comes up. 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### Queries Overview ### 36 | 37 | - Defender for Endpoint (MDE) - 1 query 38 | 39 | ## Microsoft Defender XDR ## 40 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 41 | ```KQL 42 | let FileNameRegex = @'^[0-9]{1,3}\.(exe|msi|dll|ps1|bat|cmd)'; 43 | DeviceFileEvents 44 | | where FileName matches regex FileNameRegex 45 | ``` 46 | ## Microsoft Sentinel ## 47 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 48 | ```KQL 49 | let FileNameRegex = @'^[0-9]{1,3}\.(exe|msi|dll|ps1|bat|cmd)'; 50 | DeviceFileEvents 51 | | where FileName matches regex FileNameRegex 52 | ``` 53 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 85 - Command Line Spawned by Microsoft SQL Server.md: -------------------------------------------------------------------------------- 1 | # *Command Line Spawned by Microsoft SQL Server* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/28 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | https://attack.mitre.org/techniques/T1059/003/ | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I have to post this query quickly today. I'll comeback to it and update it with more information later on. 21 | 22 | This query returns events where a command line (cmd.exe) was spawned by Microsoft SQL Server (sqlservr.exe). 23 | 24 | Could be an indication of xp_cmdshell usage. Not every cmd.exe instances gets flagged by Defender XDR as being suspicious/malicious. Starting as a hunting query, you can develop it in a more robust detection by filtering out known/benign invocations of cmd.exe by sqlservr.exe. 25 | 26 | You can also develop it further, and make it so that if the process ancestry looks like sqlservr.exe -> cmd.exe -> typical discovery command such as net.exe, whoami.exe, etc., you alert on it. 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### Queries Overview ### 38 | 39 | - Defender for Endpoint (MDE) - 1 query 40 | 41 | ## Microsoft Defender XDR ## 42 | ### Microsoft Defender for Endpoint via ProcessEvents ### 43 | ```KQL 44 | DeviceProcessEvents 45 | | where InitiatingProcessFileName =~ "sqlservr.exe" 46 | | where FileName =~ "cmd.exe" 47 | ``` 48 | ## Microsoft Sentinel ## 49 | ### Microsoft Defender for Endpoint via ProcessEvents ### 50 | ```KQL 51 | DeviceProcessEvents 52 | | where InitiatingProcessFileName =~ "sqlservr.exe" 53 | | where FileName =~ "cmd.exe" 54 | ``` 55 | -------------------------------------------------------------------------------- /Defender for Endpoint/WBAdmin.exe - Sensitive File Dump or Collection.md: -------------------------------------------------------------------------------- 1 | # *WBAdmin.exe - Sensitive File Dump or Collection* 2 | 3 | ## Query Information 4 | 5 | Encountered during an Akira Ransomware incident from Summer 2024, the threat actor installed the Windows Server Backup optional feature, used wbadmin.exe to create a backup of NTDS.dit alongside the SECURITY and SYSTEM hives and uninstalled the feature afterwards. 6 | 7 | #### MITRE ATT&CK Technique(s) 8 | 9 | | Technique ID | Title | Link | 10 | | --- | --- | --- | 11 | | T1003.003 | OS Credential Dumping: NTDS | https://attack.mitre.org/techniques/T1003/003/ | 12 | 13 | #### Description 14 | 15 | This rule detects the use of wbadmin.exe with the "start" and "backup" parameters and the presence of sensitive filenames: 16 | 17 | - NTDS.dit 18 | - SYSTEM (for the SYSTEM Registry Hive) 19 | - SECURITY (for the SECURITY Registry Hive) 20 | - SAM (for the SAM Registry Hive) 21 | 22 | In this particular incident, only the NTDS.dit, SYSTEM and SECURITY Hives were targeted by the threat actor. 23 | 24 | #### Risk 25 | 26 | A threat actor is attempting to obtain copies of the ntds.dit (Active Directory database) and the SECURITY + SYSTEM + SAM Registry Hives which would allow it to dump the content of ntds.dit and recover information such as password hashes. 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | #### References 36 | - https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files/?query=wbadmin 37 | - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin 38 | 39 | ## Defender XDR 40 | ```KQL 41 | DeviceProcessEvents 42 | | where FileName =~ "wbadmin.exe" 43 | | where ProcessCommandLine has_all ("start","backup") 44 | | where ProcessCommandLine has_any ("ntds.dit","SYSTEM","SECURITY","SAM") 45 | ``` 46 | ## Microsoft Sentinel 47 | ```KQL 48 | DeviceProcessEvents 49 | | where FileName =~ "wbadmin.exe" 50 | | where ProcessCommandLine has_all ("start","backup") 51 | | where ProcessCommandLine has_any ("ntds.dit","SYSTEM","SECURITY","SAM") 52 | ``` 53 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 68 - SSH Used For Reverse Tunnel on Windows.md: -------------------------------------------------------------------------------- 1 | # *SSH Used For Reverse Tunnel on Windows* 2 | 3 | #### Changelog 4 | 5 | | Date | Comments | 6 | |---|---| 7 | | 2025/03/09 | Initial version (part of #100DaysOfKQL) | 8 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 9 | 10 | #### MITRE ATT&CK Technique(s) 11 | 12 | | Technique ID | Title | Link | 13 | | --- | --- | --- | 14 | | T1572 | Protcol Tunneling | https://attack.mitre.org/techniques/T1572/ | 15 | | T1021.004 | Remote Services: SSH | https://attack.mitre.org/techniques/T1021/004/ | 16 | 17 | #### Description 18 | 19 | DISCLAIMER - I'm currently sick and fighting sleepiness as I post this. As usual, I'll enhance that page with more information when I get better/get back. For now, consider this as a hunting query. 20 | 21 | This query returns events where SSH (on Windows) is used to set up a reverse tunnel. 22 | 23 | PS: For more immediate context, threat actors can setup reverse tunnels to bypass network restrictions and from there, access systems remotely through other means, such as RDP (RDP through SSH tunnel). 24 | 25 | #### Author 26 | 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### References ### 36 | 37 | - https://cloud.google.com/blog/topics/threat-intelligence/bypassing-network-restrictions-through-rdp-tunneling 38 | 39 | ### Queries Overview ### 40 | 41 | - Defender for Endpoint (MDE) - 1 query 42 | 43 | ## Microsoft Defender XDR ## 44 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 45 | ```KQL 46 | let SSHArgs = dynamic(["-R","@",":"]); 47 | DeviceNetworkEvents 48 | | where InitiatingProcessFileName =~ "ssh.exe" 49 | or InitiatingProcessCommandLine has_all (SSHArgs) 50 | ``` 51 | ## Microsoft Sentinel ## 52 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 53 | ```KQL 54 | let SSHArgs = dynamic(["-R","@",":"]); 55 | DeviceNetworkEvents 56 | | where InitiatingProcessFileName =~ "ssh.exe" 57 | or InitiatingProcessCommandLine has_all (SSHArgs) 58 | ``` 59 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 88 - ESENTUTL Used to Copy a File.md: -------------------------------------------------------------------------------- 1 | # *ESENTUTL Used to Copy a File* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/31 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1006 | Direct Volume Access | https://attack.mitre.org/techniques/T1006 | 17 | | T1003.003 | OS Credential Dumping: NTDS | https://attack.mitre.org/techniques/T1003/003 | 18 | 19 | #### Description 20 | 21 | This query returns events where ESENTUTL was used to copy a file. 22 | 23 | Another one when it comes to using built-in Windows tools and features to extract or make accessible files which can contain credentials/secrets by threat actors, such as NTDS.dit, SAM, SECURITY or SYSTEM Registry Hives. 24 | 25 | esentutl.exe may be used in some environment by SysAdmins trying to interact (repair, recover, etc.) databases built with the Extensible Storage Engine (ESE) format. However, using it for copy operations (/y) should be quite rare. Even more so if the /vss switch, to perform the copy using the Volume Shadow Copy service is used. 26 | 27 | #### Author 28 | - **Name:** SecurityAura 29 | - **Github:** https://github.com/SecurityAura 30 | - **Twitter:** https://x.com/SecurityAura 31 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 32 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 33 | - **LinkedIn:** Coming Soon! 34 | - **Website:** https://medium.com/@securityaura 35 | 36 | ### References ### 37 | 38 | - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875594(v=ws.11) 39 | 40 | ### Queries Overview ### 41 | 42 | - Defender for Endpoint (MDE) - 1 query 43 | 44 | ## Microsoft Defender XDR ## 45 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 46 | ```KQL 47 | DeviceProcessEvents 48 | | where FileName =~ "esentutl.exe" 49 | | where ProcessCommandLine has "/y" 50 | ``` 51 | ## Microsoft Sentinel ## 52 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 53 | ```KQL 54 | DeviceProcessEvents 55 | | where FileName =~ "esentutl.exe" 56 | | where ProcessCommandLine has "/y" 57 | ``` 58 | -------------------------------------------------------------------------------- /Microsoft Sentinel/Potential secretsdump remoteSSMethod - SAM, SECURITY and SYSTEM Accessed Remotely.md: -------------------------------------------------------------------------------- 1 | # *Potential secretsdump remoteSSMethod - SAM, SECURITY and SYSTEM Accessed Remotely* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/07/10 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1047 | Windows Management Instrumentation | https://attack.mitre.org/techniques/T1047/ | 16 | | T1003 | OS Credential Dumping | https://attack.mitre.org/techniques/T1003/ | 17 | | T1021.002 | Remote Services: SMB/Windows Admin Shares | https://attack.mitre.org/techniques/T1021/002/ | 18 | 19 | #### Description 20 | 21 | This query looks for Event ID 5145 where one of the accessed file is the SAM, SECURITY or SYSTEM Registry Hive. Which means, Audit Detailed File Share must be enabled on the target system for these events to be logged. 22 | 23 | This idea has been inspired by Stephen Berger (@malmoeb on Twitter/X) tweet, since it was related to an article (referenced below) from ITRES that I had read just a few days prior. 24 | 25 | https://x.com/malmoeb/status/1943310097905533302 26 | 27 | Note that I may add other queries for this as I believe that there may be more than one detection opportunity here, other than the ones listed by ITRES. 28 | 29 | #### Author 30 | - **Name:** SecurityAura 31 | - **Github:** https://github.com/SecurityAura 32 | - **Twitter:** https://x.com/SecurityAura 33 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 34 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 35 | - **LinkedIn:** Coming Soon! 36 | - **Website:** https://medium.com/@securityaura 37 | 38 | #### References #### 39 | 40 | - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5145 41 | - https://labs.itresit.es/2025/06/11/remote-windows-credential-dump-with-shadow-snapshots-exploitation-and-detection/ 42 | 43 | ### Queries Overview ### 44 | 45 | - Microsoft Sentinel (SecurityEvent) - 1 query 46 | 47 | ## Microsoft Sentinel ## 48 | ### SecurityEvent ### 49 | ```KQL 50 | SecurityEvent 51 | | where EventID == "5145" 52 | | where RelativeTargetName in~ (@"System32\config\SECURITY",@"System32\config\SYSTEM",@"System32\config\SAM") 53 | ``` 54 | -------------------------------------------------------------------------------- /DFIR/OfficeActivity x AuditLogs - Containment of Users with flagged IPs events.md: -------------------------------------------------------------------------------- 1 | # *OfficeActivity x AuditLogs - Containment of Users with flagged IPs events* 2 | 3 | ## Description 4 | 5 | The query below can assist in getting a summary of the containment actions taken on users who had activities from flagged IP addresses. 6 | 7 | It works by getting a list of all users who had OfficeActivity events from a predefined list of flagged IP addresses and from there, cross-reference them in the AuditLogs table to see if various containment actions (e.g.: password reset, account disable, etc.) was taken. 8 | 9 | ## Prerequisite(s) # 10 | 11 | - A list of IP addresses that you identified as being malicious, suspicious and/or of interest. 12 | - Ajust the timerange for the period of time that covers both the incident and the containment actions that would have been taken 13 | 14 | ## Microsoft Sentinel 15 | ### Query #1 - OfficeActivity x AuditLogs - Containment of Users with flagged IPs events 16 | ```KQL 17 | let FlaggedIPs = dynamic([ 18 | "1.1.1.1", 19 | "2.2.2.2" 20 | ]); 21 | let CompromisedUsers = ( 22 | OfficeActivity 23 | | where ClientIP has_any (FlaggedIPs) 24 | or Client_IPAddress has_any (FlaggedIPs) 25 | or ActorIpAddress has_any (FlaggedIPs) 26 | | distinct UserId 27 | ); 28 | AuditLogs 29 | | where OperationName in~ ("Disable account","Reset user password","Reset password (self-service)","Reset password (by admin)") 30 | | extend Id = tostring(parse_json(TargetResources)[0].id) 31 | | extend TargetUPN = tostring(parse_json(TargetResources)[0].userPrincipalName) 32 | | join kind=rightouter CompromisedUsers on $left.TargetUPN == $right.UserId 33 | | summarize ["Operations"] = make_set(OperationName) 34 | by UserId 35 | | extend AccountDisabled = iif(Operations has "Disable account", "Yes", "No") 36 | | extend AccountPasswordReset = iif(Operations has "Reset user password", "Yes", "No") 37 | | extend AccountPasswordResetBySelfService = iif(Operations has "Reset password (self-service)", "Yes", "No") 38 | | extend AccountPasswordResetByAdmin = iif(Operations has "Reset password (by admin)", "Yes", "No") 39 | | extend AtLeastOnePasswordResetOperation = iif (Operations has "password", "Yes", "No") 40 | | project UserId, AccountDisabled, AccountPasswordReset, AccountPasswordResetBySelfService, AccountPasswordResetByAdmin, AtLeastOnePasswordResetOperation 41 | ``` 42 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 96 - certutil.exe Used to Decode a File into a PE.md: -------------------------------------------------------------------------------- 1 | # *certutil.exe Used to Decode a File into a PE* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/04/08 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1140 | Deobfuscate/Decode Files or Information | https://attack.mitre.org/techniques/T1140/ | 17 | 18 | #### Description 19 | 20 | This query return events where certutil.exe is used to decode a file into a PE. The idea here is that the original file is simply a base64 encoded file (e.g.: payload.txt) that, when decoded with certutil.exe, will turn into a valid PE (e.g.: payload.exe), which can then be executed. 21 | 22 | That file can be brought on a system in different ways, or even create (e.g.: you could echo a whole base64 encoded string in a file and then use certutil decode it). The REvil attack which leveraged Kaseya leveraged that concept: 23 | 24 | https://blog.qualys.com/vulnerabilities-threat-research/2021/07/07/analyzing-the-revil-ransomware-attack 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### Queries Overview ### 36 | 37 | - Microsoft Defender for Endpoint (MDE) - 1 query 38 | 39 | ## Defender XDR ## 40 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 41 | ```KQL 42 | DeviceFileEvents 43 | | where InitiatingProcessFileName =~ "certutil.exe" 44 | | where InitiatingProcessCommandLine has "decode" 45 | | extend FileType = tostring(parse_json(AdditionalFields).FileType) 46 | | where FileType == "PortableExecutable" 47 | ``` 48 | ## Microsoft Sentinel ## 49 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 50 | ```KQL 51 | DeviceFileEvents 52 | | where InitiatingProcessFileName =~ "certutil.exe" 53 | | where InitiatingProcessCommandLine has "decode" 54 | | extend FileType = tostring(parse_json(AdditionalFields).FileType) 55 | | where FileType == "PortableExecutable" 56 | ``` 57 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 61 - SoftPerfect Network Scanner Usage.md: -------------------------------------------------------------------------------- 1 | # *SoftPerfect Network Scanner Usage* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/02 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1046 | Network Service Discovery | https://attack.mitre.org/techniques/T1046/ | 17 | 18 | #### Description 19 | 20 | This query returns events where SoftPerfect Network Scanner (netscan.exe) is used. 21 | 22 | That tool needs no introduction and there's literally nothing to say about it other than, just make sure that if you have a hit for it, make sure that it's actually used legitimately. 23 | 24 | #### Author 25 | - **Name:** SecurityAura 26 | - **Github:** https://github.com/SecurityAura 27 | - **Twitter:** https://x.com/SecurityAura 28 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 29 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 30 | - **LinkedIn:** Coming Soon! 31 | - **Website:** https://medium.com/@securityaura 32 | 33 | ### Queries Overview ### 34 | 35 | - Defender for Endpoint (MDE) - 1 query 36 | 37 | ## Microsoft Defender XDR ## 38 | ### Microsoft Defender for Endpoint via DeviceEvents, DeviceFileEvents, DeviceProcessEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents (union) ### 39 | ```KQL 40 | union DeviceEvents, DeviceFileEvents, DeviceProcessEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents 41 | | where FileName =~ "netscan.exe" 42 | or ProcessVersionInfoCompanyName has "SoftPerfect" 43 | or InitiatingProcessFileName =~ "netscan.exe" 44 | or InitiatingProcessVersionInfoCompanyName has "SoftPerfect" 45 | ``` 46 | ## Microsoft Sentinel ## 47 | ### Microsoft Defender for Endpoint via DeviceEvents, DeviceFileEvents, DeviceProcessEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents (union) ### 48 | ```KQL 49 | union DeviceEvents, DeviceFileEvents, DeviceProcessEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents 50 | | where FileName =~ "netscan.exe" 51 | or ProcessVersionInfoCompanyName has "SoftPerfect" 52 | or InitiatingProcessFileName =~ "netscan.exe" 53 | or InitiatingProcessVersionInfoCompanyName has "SoftPerfect" 54 | ``` 55 | -------------------------------------------------------------------------------- /Defender for Endpoint/Windows Service Environment Registry Value Modification.md: -------------------------------------------------------------------------------- 1 | # *Windows Service Environment Registry Value Modification* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/06/11 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1112 | Modify Registry | https://attack.mitre.org/techniques/T1112/ | 16 | 17 | #### Description 18 | 19 | This query looks for Registry events where the Environment Registry Value of a Windows Service Registry key is involved. Custom Environment variables can be set (or reassigned) this way which will be used by the service once it's executed. This could force it to load files (e.g.: DLLs) from an arbitrary, user-defined path in that Registry Value. 20 | 21 | For the time being, I'm only tagging it as T1112, since we're looking at a Registry modification event. The end result could end up hitting more TTPs (such as DLL Hijack). 22 | 23 | All the credits for this query idea goes to @Wietze (on Twitter/X) who shared this via his #HuntingTipOfTheDay. 24 | 25 | https://x.com/Wietze/status/1932030614418424131 26 | 27 | #### Author 28 | - **Name:** SecurityAura 29 | - **Github:** https://github.com/SecurityAura 30 | - **Twitter:** https://x.com/SecurityAura 31 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 32 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 33 | - **LinkedIn:** Coming Soon! 34 | - **Website:** https://medium.com/@securityaura 35 | 36 | #### References 37 | 38 | - https://www.wietzebeukema.nl/blog/save-the-environment-variables#implications-for-privilege-escalation-and-persistence 39 | 40 | ### Queries Overview ### 41 | 42 | - Defender for Endpoint (MDE) - 1 query 43 | 44 | ## Microsoft Defender XDR ## 45 | ### Defender for Endpoint (MDE) via DeviceRegistryEvents ### 46 | ```KQL 47 | DeviceRegistryEvents 48 | | where RegistryKey matches regex @"(?i)HKEY_LOCAL_MACHINE\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\(.*?)" 49 | | where RegistryValueName == "Environment" 50 | ``` 51 | ## Microsoft Defender Sentinel ## 52 | ### Defender for Endpoint (MDE) via DeviceEvents ### 53 | ```KQL 54 | DeviceRegistryEvents 55 | | where RegistryKey matches regex @"(?i)HKEY_LOCAL_MACHINE\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\(.*?)" 56 | | where RegistryValueName == "Environment" 57 | ``` 58 | -------------------------------------------------------------------------------- /Defender for Endpoint/Events Involving Folder or Path with Trailing Space.md: -------------------------------------------------------------------------------- 1 | # *Events Involving Folder or Path with Trailing Space* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/06/14 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1036 | Masquerading | https://attack.mitre.org/techniques/T1036/ | 16 | 17 | #### Description 18 | 19 | This query looks for file, image load and process events involving a path where a folder has a trailing space. A simple regex that looks for any folder with a trailing space in the path is all we need here. Be careful as depending on the number of systems you're running this against, and the timeframe, it could use a lot of resources. If needed, you can split it in three (3) distinct queries, one for each table. 20 | 21 | Threat actors and/or malware can create folders with a trailing space to blend in and/or avoid detection as an extra degree of attention may be required to spot these odd paths when reviewing data. Some static detections using partial or full paths could also be avoided that. 22 | 23 | All the credits for this query idea goes to @Wietze (on Twitter/X) who shared this via his #HuntingTipOfTheDay. See his tweet for more ways this technique can be abused! 24 | 25 | https://x.com/Wietze/status/1933495425907999055 26 | 27 | #### Author 28 | - **Name:** SecurityAura 29 | - **Github:** https://github.com/SecurityAura 30 | - **Twitter:** https://x.com/SecurityAura 31 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 32 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 33 | - **LinkedIn:** Coming Soon! 34 | - **Website:** https://medium.com/@securityaura 35 | 36 | ### Queries Overview ### 37 | 38 | - Defender for Endpoint (MDE) - 1 query 39 | 40 | ## Microsoft Defender XDR ## 41 | ### Defender for Endpoint (MDE) via DeviceProcessEvents, DeviceFileEvents, DeviceImageLoadEvents ### 42 | ```KQL 43 | union DeviceProcessEvents, DeviceFileEvents, DeviceImageLoadEvents 44 | | where FolderPath matches regex @"\\[^\\]*\s\\|\\[^\\]*\s$" 45 | ``` 46 | ## Microsoft Sentinel ## 47 | ### Defender for Endpoint (MDE) via DeviceProcessEvents, DeviceFileEvents, DeviceImageLoadEvents ### 48 | ```KQL 49 | union DeviceProcessEvents, DeviceFileEvents, DeviceImageLoadEvents 50 | | where FolderPath matches regex @"\\[^\\]*\s\\|\\[^\\]*\s$" 51 | ``` 52 | -------------------------------------------------------------------------------- /Malware/ClickFix - conhost.exe headless and wmic product install remote source.md: -------------------------------------------------------------------------------- 1 | # *ClickFix - conhost.exe headless and wmic product install remote source.md* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/05/24 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1204.004 | User Execution: Malicious Copy and Paste | https://attack.mitre.org/techniques/T1204/004/ | 16 | | T1047 | Windows Management Instrumentation | https://attack.mitre.org/techniques/T1047/ | 17 | | T1202 | Indirect Command Execution | https://attack.mitre.org/techniques/T1202/ | 18 | 19 | #### Description 20 | 21 | Taken from a ClickFix commandline observed on May 24, 2025. It is worth nothing this commandline was correctly flagged as ClickFix by Defender for Endpoint (MDE) and blocked. 22 | 23 | These queries look for: 24 | 25 | - Processes that are spawned by a conhost.exe process launched with the --headless argument 26 | - wmic.exe calling "product install" where the install source (package) is hosted remotely (on the Internet) 27 | 28 | ### References ### 29 | 30 | - https://x.com/SecurityAura/status/1926447337926267238 31 | - https://lolbas-project.github.io/lolbas/Binaries/Conhost/ 32 | 33 | ### Queries Overview ### 34 | 35 | - Defender for Endpoint (MDE) - 2 queries 36 | 37 | ## Defender XDR ## 38 | ### Query 1 - Defender for Endpoint (MDE) via DeviceProcessEvents ### 39 | ```KQL 40 | DeviceProcessEvents 41 | | where InitiatingProcessFileName =~ "conhost.exe" 42 | | where InitiatingProcessCommandLine has "--headless" 43 | ``` 44 | ### Query 2 - Defender for Endpoint (MDE) via DeviceProcessEvents ### 45 | ```KQL 46 | DeviceProcessEvents 47 | | where FileName =~ "wmic.exe" 48 | | where ProcessCommandLine has_all ("product", "call", "install") 49 | | where ProcessCommandLine has_any ("http", "https") 50 | ``` 51 | ## Microsoft Sentinel ## 52 | ### Query 1 - Defender for Endpoint (MDE) via DeviceLogonEvents ### 53 | ```KQL 54 | DeviceProcessEvents 55 | | where InitiatingProcessFileName =~ "conhost.exe" 56 | | where InitiatingProcessCommandLine has "--headless" 57 | ``` 58 | ### Query 2 - Defender for Identity (MDI) via IdentityLogonEvents ### 59 | ```KQL 60 | DeviceProcessEvents 61 | | where FileName =~ "wmic.exe" 62 | | where ProcessCommandLine has_all ("product", "call", "install") 63 | | where ProcessCommandLine has_any ("http", "https") 64 | ``` 65 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 80 - mshta.exe Executing Raw Script From Command Line.md: -------------------------------------------------------------------------------- 1 | # *mshta.exe Executing Raw Script From Command Line* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/22 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1218.005 | System Binary Proxy Execution: Mshta | https://attack.mitre.org/techniques/T1218/005/ | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I have to post this query quickly today. I'll comeback to it and update it with more information later on. 21 | 22 | This query returns events where mshta.exe executes a raw script, may it be VBScript or JavaScript, provided in the command line. 23 | 24 | This query can be used as a detection, since that kind of usage for mshta.exe is very rare. You may see it in environment which relies on a lot of legacy scripts that were never updated and/or migrated to newer languages or technologies, but even there, these are rare. 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### References ### 36 | 37 | - https://www.mcafee.com/learn/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/ 38 | - https://www.ired.team/offensive-security/code-execution/t1170-mshta-code-execution 39 | - https://redcanary.com/blog/threat-detection/windows-registry-attacks-threat-detection/ 40 | - https://redcanary.com/blog/threat-detection/microsoft-html-application-hta-abuse-part-deux/ 41 | 42 | ### Queries Overview ### 43 | 44 | - Defender for Endpoint (MDE) - 1 query 45 | 46 | ## Microsoft Defender XDR ## 47 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 48 | ```KQL 49 | DeviceProcessEvents 50 | | where FileName =~ "mshta.exe" 51 | | where ProcessCommandLine has_any ("javascript:", "vbscript:") 52 | ``` 53 | ## Microsoft Sentinel ## 54 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 55 | ```KQL 56 | DeviceProcessEvents 57 | | where FileName =~ "mshta.exe" 58 | | where ProcessCommandLine has_any ("javascript:", "vbscript:") 59 | ``` 60 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 78 - Sign-In Events From IP Address Associated With Malicious Domain.md: -------------------------------------------------------------------------------- 1 | # *Sign-In Events From IP Address Associated With Malicious Domain* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/20 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | N/A | N/A | N/A | 17 | 18 | #### Description 19 | 20 | This query returns events where a sign-in was observed from an IP address associated with a malicious domain of your choice, that you define. 21 | 22 | This is an investigate query, not a detection, which is meant to investigate situations where users may have accessed a specific phishing domain you identified (through whatever means you want) and for which that domain (or IP) will attempt a sign-in (failed or not) when a user provides his credentials (e.g.: AiTM). 23 | 24 | PS: Disregard the ugly distinct tostring(), mv-expand and distinct tostring() hack which I will fix later. It's been a very long week. 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### Queries Overview ### 36 | 37 | - Microsoft Sentinel - 1 query 38 | 39 | ## Microsoft Sentinel ## 40 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents and Entra ID via SigninLogs, AADNonInteractiveUserSignInLogs ### 41 | ```KQL 42 | let PhishingDomain = "INSERT_PHISHING_DOMAIN_HERE"; 43 | let NetworkEventsDns = ( 44 | DeviceNetworkEvents 45 | | where ActionType == "DnsConnectionInspected" 46 | | where AdditionalFields has PhishingDomain 47 | | extend DNSAnswerIP = parse_json(AdditionalFields).answers 48 | | distinct tostring(DNSAnswerIP) 49 | | mv-expand todynamic(DNSAnswerIP) 50 | | distinct tostring(DNSAnswerIP) 51 | ); 52 | let NetworkEventsConnections = ( 53 | DeviceNetworkEvents 54 | | where RemoteUrl has PhishingDomain 55 | or RemoteIP in (NetworkEventsDns) 56 | | distinct RemoteIP 57 | ); 58 | union SigninLogs, AADNonInteractiveUserSignInLogs 59 | | where IPAddress in (NetworkEventsConnections) 60 | 61 | ``` 62 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 51 - Command Execution Coming From Windows Remote Management.md: -------------------------------------------------------------------------------- 1 | # *Windows Remote Management Command Targeting a Remote Endpoint* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/02/20 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1047 | Windows Management Instrumentation | https://attack.mitre.org/techniques/T1047/ | 17 | | T1021.006 | Remote Services: Windows Remote Management | https://attack.mitre.org/techniques/T1021/006/ | 18 | 19 | #### Description 20 | 21 | DISCLAIMER - I sadly also have to post this very quickly today. I'll come back later to update this page with more information/details. For now, see the description from this query's "sister" query (Day 50): 22 | 23 | https://github.com/SecurityAura/DE-TH-Aura/blob/main/100DaysOfKQL/Day%2050%20-%20Windows%20Remote%20Management%20Command%20Targeting%20a%20Remote%20Endpoint.md 24 | 25 | This query belows look for traces of command/process execution on an endpoint that was the TARGET of Windows Remote Management commands. Summary for now: 26 | 27 | - wmic.exe leads to WmiPrvSE.exe launching the command on the target 28 | - PowerShell Remoting leads to WSMProvHost.exe launching the command on the target 29 | - winrs.exe leads to winrshost.exe launching the command on the target 30 | 31 | Going to add queries to trace back the logon associated with the remote command execution as well. 32 | 33 | #### Author 34 | - **Name:** SecurityAura 35 | - **Github:** https://github.com/SecurityAura 36 | - **Twitter:** https://x.com/SecurityAura 37 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 38 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 39 | - **LinkedIn:** Coming Soon! 40 | - **Website:** https://medium.com/@securityaura 41 | 42 | ### Queries Overview ### 43 | 44 | - Defender for Endpoint (MDE) - 1 query (for now) 45 | 46 | ## Microsoft Defender XDR ## 47 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 48 | ```KQL 49 | DeviceProcessEvents 50 | | where InitiatingProcessFileName in~ ("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") 51 | ``` 52 | ## Microsoft Sentinel ## 53 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 54 | ```KQL 55 | DeviceProcessEvents 56 | | where InitiatingProcessFileName in~ ("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") 57 | ``` 58 | -------------------------------------------------------------------------------- /Defender for Endpoint/System Time Manipulation - Retrosigned Drivers EDR Bypass.md: -------------------------------------------------------------------------------- 1 | # *System Time Manipulation - Retrosigned Drivers EDR Bypass* 2 | 3 | ## Query Information 4 | 5 | Per an article from Aon Stroz Friedberg from September 2024, ransomware actors have been observed manipulating system time on endpoints in order to bypass the EDR. 6 | 7 | #### MITRE ATT&CK Technique(s) 8 | 9 | | Technique ID | Title | Link | 10 | | --- | --- | --- | 11 | | T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ | 12 | | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | https://attack.mitre.org/techniques/T1059/003/ | 13 | | T1489 | ServiceStop | https://attack.mitre.org/techniques/T1489/ | 14 | 15 | #### Description 16 | 17 | This rule detects either step in a chain of three (3) commands used to manipulate the system time on an endpoint: 18 | 19 | - net.exe to stop the w32time service 20 | - w32tm.exe to unregister the time service 21 | - PowerShell to change the system date/time 22 | 23 | #### Risk 24 | 25 | A threat actor is attempting to change the system time of an endpoint which could allow it to use the Retrosigned Drivers EDR Bypass. 26 | 27 | #### Author 28 | - **Name:** SecurityAura 29 | - **Github:** https://github.com/SecurityAura 30 | - **Twitter:** https://x.com/SecurityAura 31 | - **LinkedIn:** Coming Soon! 32 | - **Website:** https://medium.com/@securityaura 33 | 34 | #### References 35 | - https://www.aon.com/en/insights/cyber-labs/bypassing-edr-through-retrosigned-drivers-and-system-time-manipulation 36 | - https://x.com/StrozDFIR/status/1835796156368195897 (Original Tweet) 37 | - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff799054(v=ws.11) 38 | - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/set-date?view=powershell-7.4 39 | 40 | ## Defender XDR 41 | ```KQL 42 | DeviceProcessEvents 43 | | where FileName in~ ("net.exe","net1.exe") and ProcessCommandLine has_all ("stop","w32time") 44 | or FileName =~ "w32tm.exe" and ProcessCommandLine has ("unregister") 45 | or FileName in~ ("powershell.exe","pwsh.exe") and ProcessCommandLine has ("Set-Date") 46 | ``` 47 | ## Microsoft Sentinel 48 | ```KQL 49 | DeviceProcessEvents 50 | | where FileName in~ ("net.exe","net1.exe") and ProcessCommandLine has_all ("stop","w32time") 51 | or FileName =~ "w32tm.exe" and ProcessCommandLine has ("unregister") 52 | or FileName in~ ("powershell.exe","pwsh.exe") and ProcessCommandLine has ("Set-Date") 53 | ``` 54 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 93 - PowerShell IEX or Invoke-Expression.md: -------------------------------------------------------------------------------- 1 | # *PowerShell IEX or Invoke-Expression* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/04/05 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ | 17 | 18 | #### Description 19 | 20 | This query return events where the PowerShell Invoke-Expression/IEX (shortened version) cmdlet was used. 21 | 22 | The most popular cmdlet used by threat actors, malware and everything in between to just straight up pipe to PowerShell the content of a script (or commands) to execute. Even more suspicious if these are present in encoded PowerShell commands (being in the encoded part, or getting in input the encoded command). 23 | 24 | Should be quite easy to spot suspicious/malicious behavior with this through Threat Hunting. And depending of your environment, could be fine-tuned into a detection rule. 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### Queries Overview ### 36 | 37 | - Microsoft Defender for Endpoint (MDE) - 2 queries 38 | 39 | ## Defender XDR ## 40 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 41 | ```KQL 42 | DeviceProcessEvents 43 | | where FileName in~ ("powershell.exe", "pwsh.exe") 44 | | where ProcessCommandLine has_any ("IEX", "Invoke-Expression") 45 | ``` 46 | ### Microsoft Defender for Endpoint via DeviceEvents ### 47 | ```KQL 48 | DeviceEvents 49 | | where ActionType == "PowerShellCommand" 50 | | where AdditionalFields has_any ("IEX", "Invoke-Expression") 51 | ``` 52 | ## Microsoft Sentinel ## 53 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 54 | ```KQL 55 | DeviceProcessEvents 56 | | where FileName in~ ("powershell.exe", "pwsh.exe") 57 | | where ProcessCommandLine has_any ("IEX", "Invoke-Expression") 58 | ``` 59 | ### Microsoft Defender for Endpoint via DeviceEvents ### 60 | ```KQL 61 | DeviceEvents 62 | | where ActionType == "PowerShellCommand" 63 | | where AdditionalFields has_any ("IEX", "Invoke-Expression") 64 | ``` 65 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 89 - WmiPrvSE.exe Launching Command Executed Remotely.md: -------------------------------------------------------------------------------- 1 | # *WmiPrvSE.exe Launching Command Executed Remotely* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/04/01 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1047 | Windows Management Instrumentation | https://attack.mitre.org/techniques/T1047/ | 17 | | T1021.006 | Remote Services: Windows Remote Management | https://attack.mitre.org/techniques/T1021/006/ | 18 | 19 | #### Description 20 | 21 | DISCLAIMER: This command will only catch "reverse-shell"-like commands executed through WMI if they are wrapped in a cmd.exe (e.g.: cmd.exe /c whoami.exe > C:\Temp\wmi_whoami.txt) 22 | 23 | This query returns events WmiPrvSE.exe (Windows Management Instrumentation) launched a command executed remotely. 24 | 25 | The query below is a deeper dive on this bullet point from Day 51 query (therefore, refer to its description for what you're looking for here and how it can be (ab)used by threat actors): 26 | 27 | - wmic.exe leads to WmiPrvSE.exe launching the command on the target 28 | 29 | In Defender for Endpoint (MDE), this specific process execution can actually be found in its own ActionType of ProcessCreatedUsingWmiQuery within the DeviceEvents table. What if you don't have MDE however? Well, it is still possible to link the execution of a process (e.g.: cmd.exe) to WmiPrvSE.exe if that command was launched remotely by linking the TargetLogonId of the EID 4688 (Process Creation Event) and a EID 4624 (Successful Logon) with a Network Logon (Logon Type 3). 30 | 31 | #### Author 32 | - **Name:** SecurityAura 33 | - **Github:** https://github.com/SecurityAura 34 | - **Twitter:** https://x.com/SecurityAura 35 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 36 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 37 | - **LinkedIn:** Coming Soon! 38 | - **Website:** https://medium.com/@securityaura 39 | 40 | ### Queries Overview ### 41 | 42 | - Microsoft Sentinel (SecurityEvent) - 1 query 43 | 44 | ## Microsoft Sentinel ## 45 | ### Microsoft Sentinel via SecurityEvent ### 46 | ```KQL 47 | let RemoteWmiProcessEvents = (SecurityEvent 48 | | where EventID == 4688 49 | | where ParentProcessName has "wmiprvse.exe" 50 | | where NewProcessName has "cmd.exe"); 51 | SecurityEvent 52 | | where EventID == 4624 53 | | where LogonType == 3 54 | | join kind=inner RemoteWmiProcessEvents on Computer, TargetLogonId 55 | ``` 56 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 84 - CLR DLLs Loaded by Process with Low Prevalence.md: -------------------------------------------------------------------------------- 1 | # *CLR DLLs Loaded by Process with Low Prevalence* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/26 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1620 | Reflective Code Loading | https://attack.mitre.org/techniques/T1620/ | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I have to post this query quickly today. I'll comeback to it and update it with more information later on. 21 | 22 | This query returns events where a process with a low prevalence loads a CLR DLL. 23 | 24 | Another one for the "low prevalence X that does Y thing!". CLR DLL being loaded in a low prevalence process could point toward an implant, beacon or piece of malware loading .NET assemblies. 25 | 26 | Note: This will not detect implants, beacons, etc. that would be injected in legitimate processes (e.g.: svchost.exe) and then are used to execute/load .NET assemblies. 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### References ### 38 | 39 | - https://redhead0ntherun.medium.com/detecting-net-c-injection-execute-assembly-1894dbb04ff7 40 | - https://detect.fyi/exploring-execute-assembly-a-deep-dive-into-in-memory-threat-execution-60adc61aef8 41 | 42 | ### Queries Overview ### 43 | 44 | - Defender for Endpoint (MDE) - 1 query 45 | 46 | ## Microsoft Defender XDR ## 47 | ### Microsoft Defender for Endpoint via DeviceImageLoadEvents ### 48 | ```KQL 49 | let LowPrevProcessesLoadingCLRDLLs = ( 50 | DeviceImageLoadEvents 51 | | where FileName in~ ("clr.dll", "clrjit.dll", "mscoree.dll", "mscorlib.dll", "mscoreei.dll", "mscorlib.ni.dll") 52 | | where isnotempty( InitiatingProcessSHA1) 53 | | distinct InitiatingProcessSHA1 54 | | invoke FileProfile("InitiatingProcessSHA1",1000) 55 | // Adjust the GlobalPrevalence filter as needed 56 | | where GlobalPrevalence < 500 57 | ); 58 | DeviceImageLoadEvents 59 | | where FileName in~ ("clr.dll", "clrjit.dll", "mscoree.dll", "mscorlib.dll", "mscoreei.dll", "mscorlib.ni.dll") 60 | | join kind=inner LowPrevProcessesLoadingCLRDLLs on InitiatingProcessSHA1 61 | ``` 62 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 71 - cscript.exe or wscript.exe Launched with Script Engine Parameter.md: -------------------------------------------------------------------------------- 1 | # *cscript.exe or wscript.exe Launched with Script Engine Parameter* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/13 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059 | Command and Scripting Interpreter | https://attack.mitre.org/techniques/T1059/ | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I'm currently sick and fighting sleepiness as I post this. As usual, I'll enhance that page with more information when I get better/get back. For now, consider this as a hunting query. 21 | 22 | This query returns events where cscript.exe or wscript.exe is launched with the "script engine" parameter. 23 | 24 | PS: For more immediate context, it used to be pretty popular back in the day to launch cscript.exe or wscript.exe that way. It may still be today with Gootkit/Gootloader but it's been a while since I've dealt with it. This isn't the kind of invocation you may see often in an environment. And the use of the /E: parameter is most commonly associated with using the JScript engine. 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### References ### 36 | 37 | - https://www.crowdstrike.com/en-us/blog/hunting-for-malicious-jscript-with-overwatch-elite/ 38 | - https://www.sentinelone.com/labs/deep-insight-into-fin7-malware-chain-from-office-macro-malware-to-lightweight-js-loader/ 39 | - https://www.uptycs.com/blog/threat-research-report-team/understanding-stealerium-malware-and-its-evasion-techniques 40 | 41 | ### Queries Overview ### 42 | 43 | - Defender for Endpoint (MDE) - 1 query 44 | 45 | ## Microsoft Defender XDR ## 46 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 47 | ```KQL 48 | DeviceProcessEvents 49 | | where FileName in~ ("cscript.exe", "wscript.exe") 50 | | where ProcessCommandLine has_any ("//E:", "/E:") 51 | ``` 52 | ## Microsoft Sentinel ## 53 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 54 | ```KQL 55 | DeviceProcessEvents 56 | | where FileName in~ ("cscript.exe", "wscript.exe") 57 | | where ProcessCommandLine has_any ("//E:", "/E:") 58 | ``` 59 | -------------------------------------------------------------------------------- /Defender for Endpoint/ExternalData - Network Connection to Tycoon2FA Domain.md: -------------------------------------------------------------------------------- 1 | # *ExternalData - Network Connection to Tycoon2FA Domain* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/06/02 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T566 | Phishing | https://attack.mitre.org/techniques/T1566/ | 16 | 17 | #### Description 18 | 19 | This query looks for network connection events, connections and DNS queries, to Tycoon2FA domain. 20 | 21 | This is made possible by @RacWatchin8872 (https://x.com/RacWatchin8872) tracking these domains via his @NoMorePhis (https://x.com/NoMorePhis) bot and making the domains available on his GitHub. 22 | 23 | All credits goes to @RacWatchin8872 for that data leveraged in this query. 24 | 25 | #### Author 26 | - **Name:** SecurityAura 27 | - **Github:** https://github.com/SecurityAura 28 | - **Twitter:** https://x.com/SecurityAura 29 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 30 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 31 | - **LinkedIn:** Coming Soon! 32 | - **Website:** https://medium.com/@securityaura 33 | 34 | ### References ### 35 | 36 | - https://github.com/NoMorePhish/Tycoon2FADomains 37 | - https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/ 38 | - https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass 39 | 40 | ### Queries Overview ### 41 | 42 | - Defender for Endpoint (MDE) - 1 query 43 | 44 | ## Defender XDR ## 45 | ### Defender for Endpoint (MDE) via DeviceNetworkEvents ### 46 | ```KQL 47 | let Tycoon2FADomains = externaldata (Domain:string) 48 | ["https://raw.githubusercontent.com/NoMorePhish/Tycoon2FADomains/refs/heads/main/MaliciousDomains"] 49 | with(format=txt); 50 | DeviceNetworkEvents 51 | | extend Query = iif(ActionType == "DnsConnectionInspected", tostring(parse_json(AdditionalFields).query), "") 52 | | where RemoteUrl has_any (Tycoon2FADomains) 53 | or Query has_any (Tycoon2FADomains) 54 | ``` 55 | ## Microsoft Sentinel ## 56 | ### Defender for Endpoint (MDE) via DeviceNetworkEvents ### 57 | ```KQL 58 | let Tycoon2FADomains = externaldata (Domain:string) 59 | ["https://raw.githubusercontent.com/NoMorePhish/Tycoon2FADomains/refs/heads/main/MaliciousDomains"] 60 | with(format=txt); 61 | DeviceNetworkEvents 62 | | extend Query = iif(ActionType == "DnsConnectionInspected", tostring(parse_json(AdditionalFields).query), "") 63 | | where RemoteUrl has_any (Tycoon2FADomains) 64 | or Query has_any (Tycoon2FADomains) 65 | ``` 66 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 3 - Split or Part Archive Files Events.md: -------------------------------------------------------------------------------- 1 | # *Split or Part Archive Files* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/03 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1560.001 | Archive Collected Data: Archive via Utility | https://attack.mitre.org/techniques/T1560/001/ | 17 | 18 | #### Description 19 | 20 | When it comes to data exfiltration, many threat actors may rely on archiving utilities to collect/stage the data they want to exfiltrate beforehand. For instance, put in a RAR or 7z archive all the Office and PDF related files from a network share. 21 | 22 | With applications such as WinRAR and 7-Zip, you also have the option to create split or part archives. Basically, instead of putting inside a single archive a folder with around 10 GB of data, you can break it down in smaller archives of maximum 1 GB each. Depending on which application is used, the split/part archives created have a distinctive naming scheme: 23 | 24 | - WinRAR - Ends with partX.rar (e.g.: Finances.part1.rar, Finances.part11.rar, Finances.part111.rar, etc.) 25 | - 7-Zip - Ends with 7z.X (e.g.: Finances.7z.001, Finances.7z.011, Finances.7z.111, etc.) 26 | 27 | Since we know how these files are named, we can then look for them via Defender for Endpoint (MDE) using the DeviceFileEvents table. 28 | 29 | Note: Split archives can be created using other format/extensions. For instance, you can also create split archives in a ZIP format using 7-Zip. The query below only showcases the RAR and 7z extensions, which are the most popular. 30 | 31 | #### Author 32 | - **Name:** SecurityAura 33 | - **Github:** https://github.com/SecurityAura 34 | - **Twitter:** https://x.com/SecurityAura 35 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 36 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 37 | - **LinkedIn:** Coming Soon! 38 | - **Website:** https://medium.com/@securityaura 39 | 40 | ### Queries Overview ### 41 | 42 | - Defender for Endpoint (MDE) - 1 query 43 | 44 | ## Defender XDR ## 45 | ### Defender for Endpoint (MDE) via DeviceFileEvents ### 46 | ```KQL 47 | DeviceFileEvents 48 | | where FileName matches regex @'(?i)\.part[0-9]{1,}\.rar' 49 | or FileName matches regex @'(?i)\.7z\.[0-9]{1,}' 50 | ``` 51 | ## Microsoft Sentinel ## 52 | ### Defender for Endpoint (MDE) via DeviceFileEvents ### 53 | ```KQL 54 | DeviceFileEvents 55 | | where FileName matches regex @'(?i)\.part[0-9]{1,}\.rar' 56 | or FileName matches regex @'(?i)\.7z\.[0-9]{1,}' 57 | ``` 58 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 72 - New Service Principal Added Following Consent to Application.md: -------------------------------------------------------------------------------- 1 | # *New Service Principal Added Following Consent to Application* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/14 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | N/A | N/A | N/A | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I'm currently sick and fighting sleepiness as I post this. As usual, I'll enhance that page with more information when I get better/get back. For now, consider this as a hunting query. 21 | 22 | This query returns events where a new Service Principal is created in Entra ID following a user's consent to an application. 23 | 24 | PS: For more immediate context, this is the kind of query which will return you new apps that are consented to by users in your tenant which didn't exist before, and where a Service Principal ends up being created. Think BEC scenarios where a threat actor leverages eM Client for instance. 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### Queries Overview ### 36 | 37 | - Microsoft Sentinel (Entra ID) - 1 query 38 | 39 | ## Microsoft Sentinel ## 40 | ### Entra ID via AuditLogs ### 41 | ```KQL 42 | let TargetOperations = dynamic([ 43 | "Add app role assignment grant to user", 44 | "Add delegated permission grant", 45 | "Add service principal", 46 | "Consent to application" 47 | ]); 48 | let NewServicePrincipalNames = ( 49 | AuditLogs 50 | | where OperationName == "Add service principal" 51 | | extend targetResources = parse_json(TargetResources) 52 | | mv-apply tr = targetResources on ( 53 | extend targetResource = tr.displayName 54 | | mv-apply mp = tr.modifiedProperties on ( 55 | where mp.displayName == "DisplayName" 56 | | extend AppName = tostring(mp.newValue) 57 | | distinct CorrelationId, AppName 58 | )) 59 | ); 60 | AuditLogs 61 | | where OperationName in~ (TargetOperations) 62 | | extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) 63 | | summarize ["Operations"]=make_set(OperationName) 64 | by User, CorrelationId 65 | | where Operations has_all (TargetOperations) 66 | | join kind=inner NewServicePrincipalNames on CorrelationId 67 | | project-reorder User, AppName, CorrelationId 68 | ``` 69 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 64 - Emails With Company Name in Display Name Sent From Non-Company Domains.md: -------------------------------------------------------------------------------- 1 | # *Emails With Company Name in Display Name Sent From Non-Company Domains* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/05 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I'm currently sick and fighting sleepiness as I post this. As usual, I'll enhance that page with more information when I get better/get back. For now, consider this as a hunting query. You also may need to exclude more domains if you use services that send emails from their domains/stack but use your name, such as Jira, Amazon SES, Adobe Sign, etc. 21 | 22 | This query returns events where an email was sent to organization's users where the company name is in the display name, but that email doesn't originate from that company's domains and where the email was not blocked. 23 | 24 | PS: For more immediate context, this is a query I used to find multiple QR-code phishing emails targeting an organization where they were let through by MDO. 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### Queries Overview ### 36 | 37 | - Defender for Office 365 (MDO) - 1 query 38 | 39 | ## Microsoft Defender XDR ## 40 | ### Microsoft Defender for Office 365 via EmailEvents ### 41 | ```KQL 42 | let CompanyNames = dynamic([ 43 | "CompanyName" 44 | ]); 45 | let OrgDomains = dynamic([ 46 | "CompanyDomainA.com", 47 | "CompanyDomainB.net" 48 | ]); 49 | EmailEvents 50 | | where SenderDisplayName has_any (CompanyNames) 51 | | where SenderFromDomain !in~ (OrgDomains) 52 | and SenderMailFromDomain !in~ (OrgDomains) 53 | | where DeliveryAction != "Blocked" 54 | ``` 55 | ## Microsoft Sentinel ## 56 | ### Microsoft Defender for Office 365 via EmailEvents ### 57 | ```KQL 58 | let CompanyNames = dynamic([ 59 | "CompanyName" 60 | ]); 61 | let OrgDomains = dynamic([ 62 | "CompanyDomainA.com", 63 | "CompanyDomainB.net" 64 | ]); 65 | EmailEvents 66 | | where SenderDisplayName has_any (CompanyNames) 67 | | where SenderFromDomain !in~ (OrgDomains) 68 | and SenderMailFromDomain !in~ (OrgDomains) 69 | | where DeliveryAction != "Blocked" 70 | ``` 71 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 91 - Large EXE or MSI File Observed in User Downloads Folder.md: -------------------------------------------------------------------------------- 1 | # *Large EXE or MSI File Observed in User Downloads Folder* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/04/03 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1027.001 | Obfuscated Files or Information: Binary Padding | https://attack.mitre.org/techniques/T1027/001/ | 17 | 18 | #### Description 19 | 20 | This query returns events when a large (over 300 MB) EXE or MSI file is observed in a user's Downloads folder. 21 | 22 | Defender for Endpoint (MDE) has a known limitation with large files (at least 300+ MB): hashes for it aren't computed/present in the various tables (DeviceFileEvents, DeviceProcessEvents, etc.). Therefore, it is hard to do anything with them at a hash level (e.g.: look up their DeviceFileCertificateInfo, FileProfile(), etc.). 23 | 24 | Using large files in initial access isn't new, but it sure is the favorite technique used by some malware (hello SolarMarker!). Most of them are actually inflated/bloated using multiple techniques. You can "debloat" them using a tool of the same name by @Squiblydoo. 25 | 26 | https://github.com/Squiblydoo/debloat 27 | 28 | Some online services, such as MalwareBazaar, also support debloating inflated binaries. 29 | 30 | #### Author 31 | - **Name:** SecurityAura 32 | - **Github:** https://github.com/SecurityAura 33 | - **Twitter:** https://x.com/SecurityAura 34 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 35 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 36 | - **LinkedIn:** Coming Soon! 37 | - **Website:** https://medium.com/@securityaura 38 | 39 | ### Queries Overview ### 40 | 41 | - Defender for Endpoint (MDE) - 1 query 42 | 43 | ## Microsoft Defender XDR ## 44 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 45 | ```KQL 46 | DeviceFileEvents 47 | | where ActionType == "FileCreated" 48 | | where FolderPath matches regex @'(?i)\\Users\\[^\\]+\\Downloads\\(.*)?' 49 | | where isempty( SHA1) 50 | // 300 MB 51 | | where FileSize > 300000000 52 | | extend FileExtension = split(FileName,".")[-1] 53 | | where FileExtension in~ ("exe","msi") 54 | ``` 55 | ## Microsoft Sentinel ## 56 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 57 | ```KQL 58 | DeviceFileEvents 59 | | where ActionType == "FileCreated" 60 | | where FolderPath matches regex @'(?i)\\Users\\[^\\]+\\Downloads\\(.*)?' 61 | | where isempty( SHA1) 62 | // 300 MB 63 | | where FileSize > 300000000 64 | | extend FileExtension = split(FileName,".")[-1] 65 | | where FileExtension in~ ("exe","msi") 66 | ``` 67 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 42 - nltest.exe Execution.md: -------------------------------------------------------------------------------- 1 | # *nltest.exe Execution* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/02/11 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1482 | Domain Trust Discovery | https://attack.mitre.org/techniques/T1482 | 17 | | T1018 | Remote System Discovery | https://attack.mitre.org/techniques/T1018 | 18 | | T1016 | System Network Configuration Discovery | https://attack.mitre.org/techniques/T1016 | 19 | 20 | #### Description 21 | 22 | This query returns events where nltest.exe was executed. 23 | 24 | That's it, that's the description. At this point, it should be well-known to any instance of nltest.exe should be investigated because: 25 | 26 | - It really is not run that often in the day-to-day 27 | - Once again, it really is not run that often in the day-to-day 28 | - It is quite easy to find out if its execution was done legitimately (benign, expected behavior or not) 29 | 30 | If you get a hit on this, it only takes a few seconds to look at all the DeviceProcessEvents surrounding that event to see if it's coupled with other discovery related commands, come from an account that should not be running that command, was executed at odd hours, etc. 31 | 32 | In terms of "low-hanging fruit" indicators of an intrusion (e.g.: ransomware attack), this is easily in the Top 5. 33 | 34 | #### Author 35 | - **Name:** SecurityAura 36 | - **Github:** https://github.com/SecurityAura 37 | - **Twitter:** https://x.com/SecurityAura 38 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 39 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 40 | - **LinkedIn:** Coming Soon! 41 | - **Website:** https://medium.com/@securityaura 42 | 43 | ### Reference(s) 44 | 45 | - https://attack.mitre.org/software/S0359/ 46 | - https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/ 47 | - https://www.threatdown.com/blog/5-early-signs-of-a-ransomware-attack-based-on-real-examples/ 48 | - https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/ 49 | - There are just SO many 50 | 51 | ### Queries Overview ### 52 | 53 | - Defender for Endpoint (MDE) - 1 query 54 | 55 | ## Microsoft Defender XDR ## 56 | ### Microsoft Defender for Endpoint DeviceProcessEvents ### 57 | ```KQL 58 | DeviceProcessEvents 59 | | where FileName =~ "nltest.exe" 60 | ``` 61 | ## Microsoft Sentinel ## 62 | ### Microsoft Defender for Endpoint DeviceProcessEvents ### 63 | ```KQL 64 | DeviceProcessEvents 65 | | where FileName =~ "nltest.exe" 66 | ``` 67 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 87 - Command Line Interpreter Launched as Service.md: -------------------------------------------------------------------------------- 1 | # *Command Line Interpreter Launched as Service* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/30 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ | 17 | | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | https://attack.mitre.org/techniques/T1059/001/ | 18 | | T1569.002 | System Services: Service Execution | https://attack.mitre.org/techniques/T1569/002/ | 19 | | T1543.003 | Create or Modify System Process: Windows Service | https://attack.mitre.org/techniques/T1543/003/ | 20 | 21 | #### Description 22 | 23 | This query returns events where a command line interpreter (cmd.exe, powershell.exe or pwsh.exe) is spawned by services.exe, therefore, most likely launched as Windows Service. 24 | 25 | Threat Actors can execute commands remotely on hosts through the Service Control Manager (SCM) where a Windows Service can be created or manipulated (read: modified) to execute either one-time commands and/or persistent commands that will be executed when that service launch. Windows Services are launched by services.exe, and depending on the environment, having services.exe launch a command line interpreter is highly unsual, to not say downright suspicious. 26 | 27 | If you've ever dealt with Cobalt Strike, you know. 28 | 29 | #### Author 30 | - **Name:** SecurityAura 31 | - **Github:** https://github.com/SecurityAura 32 | - **Twitter:** https://x.com/SecurityAura 33 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 34 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 35 | - **LinkedIn:** Coming Soon! 36 | - **Website:** https://medium.com/@securityaura 37 | 38 | ### References ### 39 | 40 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 41 | - https://www.logpoint.com/en/blog/how-to-detect-stealthy-cobalt-strike-activity-in-your-enterprise/# 42 | 43 | ### Queries Overview ### 44 | 45 | - Defender for Endpoint (MDE) - 1 query 46 | 47 | ## Microsoft Defender XDR ## 48 | ### Microsoft Defender for Endpoint via ProcessEvents ### 49 | ```KQL 50 | DeviceProcessEvents 51 | | where InitiatingProcessFileName =~ "services.exe" 52 | | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe") 53 | ``` 54 | ## Microsoft Sentinel ## 55 | ### Microsoft Defender for Endpoint via ProcessEvents ### 56 | ```KQL 57 | DeviceProcessEvents 58 | | where InitiatingProcessFileName =~ "services.exe" 59 | | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe") 60 | ``` 61 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 97 - PowerShell COM Interaction.md: -------------------------------------------------------------------------------- 1 | # *PowerShell COM Interaction* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/04/08 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ | 17 | | T1559.001 | Inter-Process Communication: Component Object Model | https://attack.mitre.org/techniques/T1559/001/ | 18 | 19 | #### Description 20 | 21 | This query return events where PowerShell interacts with a Component Object Model (COM), such as creating a new one and then interacting with it. 22 | 23 | For instance, a threat actor (or malware) could use the WScript.Shell COM object to then access the Windows Shell features, such as launching processes. 24 | 25 | One can also interact with Schedule.Service to interact with Windows Scheduled Tasks. 26 | 27 | Bringing the power of COM to a PowerShell near you. 28 | 29 | The queries below are more suited for hunting, unless there's very little use of PowerShell to interact with COM in your environment and/or you want to target specific COM (e.g.: WScript.Shell). 30 | 31 | #### Author 32 | - **Name:** SecurityAura 33 | - **Github:** https://github.com/SecurityAura 34 | - **Twitter:** https://x.com/SecurityAura 35 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 36 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 37 | - **LinkedIn:** Coming Soon! 38 | - **Website:** https://medium.com/@securityaura 39 | 40 | ### References ### 41 | 42 | - https://isc.sans.edu/diary/24282 43 | - https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ 44 | 45 | ### Queries Overview ### 46 | 47 | - Microsoft Defender for Endpoint (MDE) - 2 queries 48 | 49 | ## Defender XDR ## 50 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 51 | ```KQL 52 | DeviceProcessEvents 53 | | where FileName in~ ("powershell.exe", "pwsh.exe") 54 | | where ProcessCommandLine has "-ComObject" 55 | ``` 56 | ### Microsoft Defender for Endpoint via DeviceEvents ### 57 | ```KQL 58 | DeviceEvents 59 | | where ActionType == "PowerShellCommand" 60 | | where AdditionalFields has "-ComObject" 61 | ``` 62 | ## Microsoft Sentinel ## 63 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 64 | ```KQL 65 | DeviceProcessEvents 66 | | where FileName in~ ("powershell.exe", "pwsh.exe") 67 | | where ProcessCommandLine has "-ComObject" 68 | ``` 69 | ### Microsoft Defender for Endpoint via DeviceEvents ### 70 | ```KQL 71 | DeviceEvents 72 | | where ActionType == "PowerShellCommand" 73 | | where AdditionalFields has "-ComObject" 74 | ``` 75 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 69 - Potential Terminal Server or TermService Tampering via RDPWrap.md: -------------------------------------------------------------------------------- 1 | # *Potential Terminal Server or TermService Tampering via RDPWrap* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/11 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1505 | Server Software Component: Terminal Services DLL | https://attack.mitre.org/techniques/T1505/005/ | 17 | | T1021.001 | Remote Services: Remote Desktop Protocol | https://attack.mitre.org/techniques/T1021/001/ | 18 | 19 | #### Description 20 | 21 | DISCLAIMER - I'm currently sick and fighting sleepiness as I post this. As usual, I'll enhance that page with more information when I get better/get back. For now, consider this as a hunting query. 22 | 23 | This query returns events where the Terminal Server or TermService may have been tampered with via RDPWrap. 24 | 25 | PS: For more immediate context, RDPWrap is used by threat actors' (mostly script kiddies "à la" Phobos however) to patch the Terminal Server/TermService on a Windows system and allow stuff such as concurrent session (which means, if 2 users are already logged in for instance, a 3rd one, the TA could login without prompted the other two to disconnect). 26 | 27 | PS 2: This behavior MAY already be detected by Defender for Endpoint (MDE) as a built-in rule. Been a while since I last tested it. 28 | 29 | #### Author 30 | - **Name:** SecurityAura 31 | - **Github:** https://github.com/SecurityAura 32 | - **Twitter:** https://x.com/SecurityAura 33 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 34 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 35 | - **LinkedIn:** Coming Soon! 36 | - **Website:** https://medium.com/@securityaura 37 | 38 | ### Queries Overview ### 39 | 40 | - Defender for Endpoint (MDE) - 2 queries 41 | - Defender for Identity (MDI) - Coming later 42 | 43 | ## Microsoft Defender XDR ## 44 | ### Microsoft Defender for Endpoint via DevicRegistryEvents ### 45 | ```KQL 46 | DeviceRegistryEvents 47 | | where RegistryKey has_any (@"Control\Terminal Server\Licensing Core",@"Services\TermService\Parameters") 48 | or (RegistryKey =~ @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 49 | and RegistryValueName == "AllowMultipleTSSessions") 50 | ``` 51 | ## Microsoft Sentinel ## 52 | ### Microsoft Defender for Endpoint via DevicRegistryEvents ### 53 | ```KQL 54 | DeviceRegistryEvents 55 | | where RegistryKey has_any (@"Control\Terminal Server\Licensing Core",@"Services\TermService\Parameters") 56 | or (RegistryKey =~ @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 57 | and RegistryValueName == "AllowMultipleTSSessions") 58 | ``` 59 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 74 - Consent to Application With Dangerous Delegated Permissions.md: -------------------------------------------------------------------------------- 1 | # *Consent to Application With Dangerous Delegated Permissions* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/16 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | N/A | N/A | N/A | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I'm currently sick and fighting sleepiness as I post this. As usual, I'll enhance that page with more information when I get better/get back. For now, consider this as a hunting query. 21 | 22 | This query returns events where a user consents to an application with dangerous delegated permissions. 23 | 24 | PS: For more immediate context, this query uses LETHAL-FORENSICS's Microsoft-Analyzer-Suite Delegated Permissions Blacklist to look for events where a user consents to an app with dangerous delegated permissions. As it is right now, the application only looks for permissions with a "High" Severity rating, though this can be removed if needed. 25 | - **Name:** SecurityAura 26 | - **Github:** https://github.com/SecurityAura 27 | - **Twitter:** https://x.com/SecurityAura 28 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 29 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 30 | - **LinkedIn:** Coming Soon! 31 | - **Website:** https://medium.com/@securityaura 32 | 33 | ### References ### 34 | 35 | - https://github.com/LETHAL-FORENSICS/Microsoft-Analyzer-Suite/tree/main (https://x.com/LETHAL_DFIR) 36 | 37 | ### Queries Overview ### 38 | 39 | - Microsoft Sentinel (Microsoft Entra ID) - 1 query 40 | 41 | ## Microsoft Sentinel ## 42 | ### Microsoft Entra ID via AuditLogs ### 43 | ```KQL 44 | let DangerousDelegatedPermissions = 45 | externaldata ( Permission: string, PermissionType: string, DisplayText: string, AdminConsentRequired: string, Severity: string) 46 | ["https://raw.githubusercontent.com/LETHAL-FORENSICS/Microsoft-Analyzer-Suite/refs/heads/main/Blacklists/DelegatedPermission-Blacklist.csv"] 47 | with (format=csv, ignoreFirstRecord=true) 48 | | where Severity == "High" 49 | | distinct Permission; 50 | AuditLogs 51 | | where OperationName == "Consent to application" 52 | | extend targetResources = parse_json(TargetResources) 53 | | mv-apply tr = targetResources on ( 54 | extend targetResource = tr.displayName 55 | | mv-apply mp = tr.modifiedProperties on ( 56 | where mp.displayName == "ConsentAction.Permissions" 57 | | extend ConsentActionPermissions = tostring(mp.newValue))) 58 | | parse ConsentActionPermissions with * "Scope: " ExtractedPermissions "," * 59 | | extend Permissions = split(ExtractedPermissions, " ") 60 | | where Permissions has_any (DangerousDelegatedPermissions) 61 | ``` 62 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 11 - Script Execution From User's Downloads Folder.md: -------------------------------------------------------------------------------- 1 | # *Script Execution From User's Downloads Folder* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/11 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1204.002 | User Execution: Malicious File | https://attack.mitre.org/techniques/T1204/002/ | 17 | | T1059 | Command and Scripting Interpreter | https://attack.mitre.org/techniques/T1059/ | 18 | 19 | #### Description 20 | 21 | This query returns events where a user launched a script (BAT, PS1, JS, JSE, VB, VBE, VBS, etc.) from his Downloads folder. Typical phishing technique which is still around but probably less effective now. Basically, get a user to download a JS file masquerading as something else (fake browser update, SocGholish-like) and then execute it. It'll also work if a user download an archive (e.g.: ZIP) with a script inside, but extracted the content of the archive in the Downloads folder first, and then went in it and double-clicked to launch the script. 22 | 23 | Most scripts will be executed with either wscript.exe or cscript.exe, except for the obvious BAT, CMD, PS1, and since the script is in the command line, we can look for events where it's located within a user's Downloads folder. 24 | 25 | #### Author 26 | - **Name:** SecurityAura 27 | - **Github:** https://github.com/SecurityAura 28 | - **Twitter:** https://x.com/SecurityAura 29 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 30 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 31 | - **LinkedIn:** Coming Soon! 32 | - **Website:** https://medium.com/@securityaura 33 | 34 | ### Queries Overview ### 35 | 36 | - Defender for Endpoint (MDE) - 1 query 37 | 38 | ## Defender XDR ## 39 | ### Defender for Endpoint (MDE) via DeviceProcessEvents ### 40 | ```KQL 41 | let ScriptInterpreters = dynamic([ 42 | "cmd.exe", 43 | "powershell.exe", 44 | "pwsh.exe", 45 | "mshta.exe" 46 | "cscript.exe", 47 | "wscript.exe" 48 | ]); 49 | DeviceProcessEvents 50 | | where FileName in~ (ScriptInterpreters) 51 | | extend ScriptPath = extract(@"(?i)[aA-zZ]\:\\Users\\[^\\]+\\Downloads\\(.*)+\b",0,ProcessCommandLine) 52 | | where isnotempty(ScriptPath) 53 | ``` 54 | ## Microsoft Sentinel ## 55 | ### Defender for Endpoint (MDE) via DeviceProcessEvents ### 56 | ```KQL 57 | let ScriptInterpreters = dynamic([ 58 | "cmd.exe", 59 | "powershell.exe", 60 | "pwsh.exe", 61 | "mshta.exe" 62 | "cscript.exe", 63 | "wscript.exe" 64 | ]); 65 | DeviceProcessEvents 66 | | where FileName in~ (ScriptInterpreters) 67 | | extend ScriptPath = extract(@"(?i)[aA-zZ]\:\\Users\\[^\\]+\\Downloads\\(.*)+\b",0,ProcessCommandLine) 68 | | where isnotempty(ScriptPath) 69 | ``` 70 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 23 - Workstations with Public IP Assigned to Network Interface.md: -------------------------------------------------------------------------------- 1 | # *Workstations with Public IP Assigned to Network Interface* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/23 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | N/A | N/A | N/A | 17 | 18 | #### Description 19 | 20 | This query returns events where a workstation (e.g.: Windows 10, Windows 11) has a public IP address assigned to one of its network interfaces. This information is actually readily available in the DeviceNetworkInfo table in the dynamic property IPAddresses column. It even tells us if an IP is public or private, how awesome is that! 21 | 22 | The use case here is, I still see in 2024 (haven't seen it in 2025 yet but, it's just January), users that somehow ends up getting a public IP assigned to their endpoint (corporate ones, though they are not at the office). And what happens when a Windows device (servers aside too) is directly exposed to the Internet? There are so many correct answers here, you most likely guessed one of them. 23 | 24 | Therefore, before this situation turns into an RDP bruteforcing alert, or an "Internet facing device" tag in MDE, you can actually look for this and get notified in almost real-time when a workstation gets assigned a public IP. This allows you to react right away, contact the user and possibly ask them to take a photo of how they're currently setup to have gotten that IP assignation. 25 | 26 | If I had a penny for everytime I responded to that kind of incident, I would probably be able to buy an Arizona Tea (reference: https://x.com/DrinkAriZona/status/1882181201987035591) 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### Queries Overview ### 38 | 39 | - Microsoft Defender for Endpoint (MDE) - 1 query 40 | 41 | ## Microsoft Defender XDR ## 42 | ### Microsoft Defender for Endpoint via DeviceInfo and DeviceNetworkInfo ### 43 | ```KQL 44 | let Workstations = (DeviceInfo 45 | | where DeviceType == "Workstation" 46 | | distinct DeviceName); 47 | DeviceNetworkInfo 48 | | where DeviceName in~ (Workstations) 49 | | mv-expand IPAddresses 50 | | where IPAddresses.AddressType == "Public" 51 | ``` 52 | ## Microsoft Sentinel ## 53 | ### Microsoft Defender for Endpoint via DeviceInfo and DeviceNetworkInfo ### 54 | ```KQL 55 | let Workstations = (DeviceInfo 56 | | where DeviceType == "Workstation" 57 | | distinct DeviceName); 58 | DeviceNetworkInfo 59 | | where DeviceName in~ (Workstations) 60 | | mv-expand IPAddresses 61 | | where IPAddresses.AddressType == "Public" 62 | ``` 63 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 83 - Password Accessed By User in Google Chrome or Microsoft Edge.md: -------------------------------------------------------------------------------- 1 | # *Password Accessed By User in Google Chrome or Microsoft Edge* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/25 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1555 | Credentials from Password Stores: Credentials from Web Browsers | https://attack.mitre.org/techniques/T1555/003/ | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I have to post this query quickly today. I'll comeback to it and update it with more information later on. 21 | 22 | This query returns events where a password saved in the Password Manager was potentially accessed by a user. 23 | 24 | Chromium-based Web browsers such as Google Chrome and Microsoft Edge encrypt/protect the passwords saved in the Password Manager feature. When you try to access an account that was saved there, you're prompted for your credentials to confirm that you can access them. Entering your credentials successfully results in the access of that account within the Password Manager from which you can display/show the saved password if needed. 25 | 26 | This generates an Interactive (Logon Type 2) successful logon event from the user that logged in from the Web Browser process, e.g.: chrome.exe or msedge.exe. 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### Queries Overview ### 38 | 39 | - Defender for Endpoint (MDE) - 1 query 40 | - Microsoft Sentinel (SecurityEvent) - 1 query 41 | 42 | ## Microsoft Defender XDR ## 43 | ### Microsoft Defender for Endpoint via DeviceLogonEvents ### 44 | ```KQL 45 | DeviceLogonEvents 46 | | where ActionType == "LogonSuccess" 47 | | where LogonType == "Interactive" 48 | | where not (AccountName endswith "$") 49 | | where not (InitiatingProcessAccountName endswith "$") 50 | | where InitiatingProcessFileName in~ ("msedge.exe","chrome.exe") 51 | ``` 52 | ## Microsoft Sentinel ## 53 | ### Microsoft Defender for Endpoint via DeviceLogonEvents ### 54 | ```KQL 55 | DeviceLogonEvents 56 | | where ActionType == "LogonSuccess" 57 | | where LogonType == "Interactive" 58 | | where not (AccountName endswith "$") 59 | | where not (InitiatingProcessAccountName endswith "$") 60 | | where InitiatingProcessFileName in~ ("msedge.exe","chrome.exe") 61 | ``` 62 | ### Microsoft Sentinel via SecurityEvent ### 63 | ```KQL 64 | SecurityEvent 65 | | where EventID == 4624 66 | | where LogonType == 2 67 | | where not (TargetAccount endswith "$") 68 | | where not (SubjectAccount endswith "$") 69 | | where Process in~ ("msedge.exe","chrome.exe") 70 | ``` 71 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 15 - PowerShell Invoke-WebRequest, IWR or Net.WebClient.md: -------------------------------------------------------------------------------- 1 | # *PowerShell Invoke-WebRequest, IWR or Net.WebClient* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/15 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ | 17 | | T1105 | Ingress Tool Transfer | https://attack.mitre.org/techniques/T1105/ | 18 | 19 | #### Description 20 | 21 | This query return events where the PowerShell Invoke-WebRequest/IWR (shortened version) cmdlet or the WebClient class was used. Useful for Ingress Tool Transfer (T1105) but also for data exfiltration if you want to send data out (e.g.: Registry Hive dumps, LSASS dump, etc.). 22 | 23 | Often used by malware and threat actor alike (even APTs, see below). The kind of query that you want to run, look at the various unique iterations of the command (use distinct) and just see if you can spot anything suspicious/malicious. 24 | 25 | Depending on their use in an environment, can act as a detection and/or can be fine-tuned to become one if more filters are added: execution context, destination IPs/domains, etc. 26 | 27 | #### Author 28 | - **Name:** SecurityAura 29 | - **Github:** https://github.com/SecurityAura 30 | - **Twitter:** https://x.com/SecurityAura 31 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 32 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 33 | - **LinkedIn:** Coming Soon! 34 | - **Website:** https://medium.com/@securityaura 35 | 36 | #### Reference(s) 37 | 38 | - https://www.huntress.com/blog/the-hunt-for-redcurl-2 39 | - https://azeria-labs.com/data-exfiltration/ 40 | 41 | ### Queries Overview ### 42 | 43 | - Microsoft Defender for Endpoint (MDE) - 2 queries 44 | 45 | ## Defender XDR ## 46 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 47 | ```KQL 48 | DeviceNetworkEvents 49 | | where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe") 50 | | where InitiatingProcessCommandLine has_any ("Invoke-WebRequest", "IWR", "Net.WebClient") 51 | ``` 52 | ### Microsoft Defender for Endpoint via DeviceEvents ### 53 | ```KQL 54 | DeviceEvents 55 | | where ActionType == "PowerShellCommand" 56 | | where AdditionalFields has_any ("Invoke-WebRequest", "IWR", "Net.WebClient") 57 | ``` 58 | ## Microsoft Sentinel ## 59 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 60 | ```KQL 61 | DeviceNetworkEvents 62 | | where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe") 63 | | where InitiatingProcessCommandLine has_any ("Invoke-WebRequest", "IWR", "Net.WebClient") 64 | ``` 65 | ### Microsoft Defender for Endpoint via DeviceEvents ### 66 | ```KQL 67 | DeviceEvents 68 | | where ActionType == "PowerShellCommand" 69 | | where AdditionalFields has_any ("Invoke-WebRequest", "IWR", "Net.WebClient") 70 | ``` 71 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 79 - PowerShell Process Launching PowerShell Process with Encoded Command.md: -------------------------------------------------------------------------------- 1 | # *PowerShell Process Launching PowerShell Process with Encoded Command* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/21 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ | 17 | | T1027.010 | Obfuscated Files or Information: Command Obfuscation | https://attack.mitre.org/techniques/T1027/010/ | 18 | 19 | #### Description 20 | 21 | DISCLAIMER - I have to post this query quickly today. I'll comeback to it and update it with more information later on. 22 | 23 | This query returns events a PowerShell process launches another PowerShell process that has an encoded command (-EncodedCommand) or vice-versa. 24 | 25 | This query should be considered as a threat hunting query. Depending on what is running an environment, that sort of behavior should be quite rare, if not absent. False positives could occur with solutions such as Ansible. 26 | 27 | #### Author 28 | - **Name:** SecurityAura 29 | - **Github:** https://github.com/SecurityAura 30 | - **Twitter:** https://x.com/SecurityAura 31 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 32 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 33 | - **LinkedIn:** Coming Soon! 34 | - **Website:** https://medium.com/@securityaura 35 | 36 | ### Queries Overview ### 37 | 38 | - Defender for Endpoint (MDE) - 1 query 39 | 40 | ## Microsoft Defender XDR ## 41 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 42 | ```KQL 43 | let EncodedCommandStrings = dynamic([ 44 | "-e ", 45 | "-ec ", 46 | "-en ", 47 | "-enc ", 48 | "-enco ", 49 | "-encod ", 50 | "-encoded ", 51 | "-EncodedCommand " 52 | ]); 53 | DeviceProcessEvents 54 | | where (InitiatingProcessFileName =~ "powershell.exe" 55 | and FileName =~ "powershell.exe" 56 | and ProcessCommandLine has_any (EncodedCommandStrings)) 57 | or (InitiatingProcessFileName =~ "powershell.exe" 58 | and InitiatingProcessCommandLine has_any (EncodedCommandStrings) 59 | and FileName =~ "powershell.exe") 60 | ``` 61 | ## Microsoft Sentinel ## 62 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 63 | ```KQL 64 | let EncodedCommandStrings = dynamic([ 65 | "-e ", 66 | "-ec ", 67 | "-en ", 68 | "-enc ", 69 | "-enco ", 70 | "-encod ", 71 | "-encoded ", 72 | "-EncodedCommand " 73 | ]); 74 | DeviceProcessEvents 75 | | where (InitiatingProcessFileName =~ "powershell.exe" 76 | and FileName =~ "powershell.exe" 77 | and ProcessCommandLine has_any (EncodedCommandStrings)) 78 | or (InitiatingProcessFileName =~ "powershell.exe" 79 | and InitiatingProcessCommandLine has_any (EncodedCommandStrings) 80 | and FileName =~ "powershell.exe") 81 | ``` 82 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 94 - Archive Created at the Root of a Drive.md: -------------------------------------------------------------------------------- 1 | # *Archive Created at the Root of a Drive* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/01 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1560.001 | Archive Collected Data: Archive via Utility | https://attack.mitre.org/techniques/T1560/001/ | 17 | | T1074 | Data Staged | https://attack.mitre.org/techniques/T1074/ | 18 | 19 | #### Description 20 | 21 | This query return events where an archive (ZIP, RAR or 7Z) is created at the root of a drive (C:\, D:\, E:\, etc.) 22 | 23 | The logic behind that query is simple: a lot of threat actors, when going for the collection phase, will end up staging data at the root of a drive. Why? Because when they're on key servers such as File Servers, Backup Servers, etc. they may simply right-click on folders at the root and archive them using their preferred tool. Or even define the output path to be at the root of these drives when compressing files through the command line. 24 | 25 | While this aligns with T1074 (Data Staged), this is more of a general observation as to where/how threat actors decide to stage their files for future the exfiltration phrase. If you're lucky enough that these archives still exists during an investigation ... you've just hit the jackpot. 26 | 27 | Note: The false positives you may get the most are files on USB Flash Drives that gets observed by MDE. In terms of Threat Hunting, these should be more obvious to dismiss. RAR and or 7Z files, if WinRAR and/or 7-Zip aren't used in your environment can be suspicious from the get go. 28 | 29 | #### Author 30 | - **Name:** SecurityAura 31 | - **Github:** https://github.com/SecurityAura 32 | - **Twitter:** https://x.com/SecurityAura 33 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 34 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 35 | - **LinkedIn:** Coming Soon! 36 | - **Website:** https://medium.com/@securityaura 37 | 38 | ### Queries Overview ### 39 | 40 | - Microsoft Defender for Endpoint (MDE) - 1 query 41 | 42 | ## Defender XDR ## 43 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 44 | ```KQL 45 | DeviceFileEvents 46 | // We're excluding the C:\ drive since our hypothesis is that the threat actor is compressing files from other drives 47 | | where FolderPath matches regex @"(?i)[^c]:\\[^\\]+$" 48 | | extend FileExtension = split(FileName,".")[-1] 49 | | where FileExtension in~ ("zip","rar","7z") 50 | ``` 51 | ## Microsoft Sentinel ## 52 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 53 | ```KQL 54 | DeviceFileEvents 55 | // We're excluding the C:\ drive since our hypothesis is that the threat actor is compressing files from other drives 56 | | where FolderPath matches regex @"(?i)[^c]:\\[^\\]+$" 57 | | extend FileExtension = split(FileName,".")[-1] 58 | | where FileExtension in~ ("zip","rar","7z") 59 | ``` 60 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 48 - runas.exe Usage.md: -------------------------------------------------------------------------------- 1 | # *runas.exe Usage* 2 | 3 | #### Changelog 4 | 5 | | Date | Comments | 6 | |---|---| 7 | | 2025/02/17 | Initial version (part of #100DaysOfKQL) | 8 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 9 | 10 | #### MITRE ATT&CK Technique(s) 11 | 12 | | Technique ID | Title | Link | 13 | | --- | --- | --- | 14 | | T1134.002 | Access Token Manipulation: Create Process with Token | https://attack.mitre.org/techniques/T1134/002/ | 15 | 16 | #### Description 17 | 18 | This query returns events where runas.exe was used. 19 | 20 | In Windows, runas.exe is a nifty little utility that allows you to run specific tools, programs, etc. as a different user. Different user being, other than the one that is currently logged in. Which means that you can spawn a cmd.exe or powershell.exe process using another set of credentials for instance and end up in a newly created process running at that user. 21 | 22 | From a threat actor's perspective, this can allow either for Defense Evasion or Privilege Escalation. For Defense Evasion, they may be spawning new processes as another user that may be less suspicious or monitored, depending on what processes, and therefore, subsequent commands, they launch. As for the Privilege Escalation part, they could spawn a new process that has higher privilege or level of access than their current user, and use it to perform operations/commands that couldn't be executed before. For instance, they may use runas.exe to spawn a cmd.exe shell with a user that can login/access Domain Controllers. And from there, simply "net use" the main Windows drive (C$) and from there, get remote access to a DC. 23 | 24 | The use of runas.exe with /savecred is also important/dangerous. As it means that any credential that would be entered in this command will be saved in the Windows Credential Manager and subsequent runas.exe commands calling that user will not require/prompt the user for the password of that target account. 25 | 26 | PS: Akira still uses runas.exe in 2025, don't sleep on it! 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### References ### 38 | 39 | - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11) 40 | 41 | ### Queries Overview ### 42 | 43 | - Defender for Endpoint (MDE) - 1 query 44 | 45 | ## Microsoft Defender XDR ## 46 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 47 | ```KQL 48 | DeviceProcessEvents 49 | | where FileName =~ "runas.exe" 50 | or InitiatingProcessFileName =~ "runas.exe" 51 | ``` 52 | ## Microsoft Sentinel ## 53 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 54 | ```KQL 55 | DeviceProcessEvents 56 | | where FileName =~ "runas.exe" 57 | or InitiatingProcessFileName =~ "runas.exe" 58 | ``` 59 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 16 - Processes Launched by PowerShell Remoting (WSMProvHost.exe).md: -------------------------------------------------------------------------------- 1 | # *Processes Launched by PowerShell Remoting (WSMProvHost.exe)* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/16 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ | 17 | | T1021.006 | Remote Services: Windows Remote Management | https://attack.mitre.org/techniques/T1021/006/ | 18 | 19 | 20 | #### Description 21 | 22 | This query returns a quick summarized view of processes that were launched through PowerShell Remoting where the parent process is WSMProvHost.exe. 23 | 24 | PowerShell Remoting allows you to connect/establish a session to a remote system and execute commands through PowerShell. On the remote (target) system, this will return in processes being launched by the WSMProvHost.exe process. It is therefore quite easy to get a list of all the processes it launched and review them for ones that could be suspicious/malicious. Such as a threat actor attempting to move laterally around the environment. 25 | 26 | By summarizing the various ProcessCommandLine involved by FolderPath involved, you end up with a lot less results to review. And you can also order results by the number of unique ProcessCommandLine in order to find unique/uncommon ones. 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | #### Reference(s) 38 | 39 | - https://learn.microsoft.com/en-us/powershell/scripting/security/remoting/powershell-remoting-faq?view=powershell-7.4 40 | - https://www.splunk.com/en_us/blog/security/powershell-web-access-your-network-s-backdoor-in-plain-sight.html (because it works for PSWA too!) 41 | - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html 42 | 43 | ### Queries Overview ### 44 | 45 | - Microsoft Defender for Endpoint (MDE) - 1 query 46 | 47 | ## Defender XDR ## 48 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 49 | ```KQL 50 | DeviceProcessEvents 51 | | where InitiatingProcessFileName =~ "wsmprovhost.exe" 52 | | summarize ["ProcessCommandLines"]=make_set(ProcessCommandLine), 53 | ["ProcessCommandLineCount"]=dcount(ProcessCommandLine) 54 | by FolderPath 55 | ``` 56 | ## Microsoft Sentinel ## 57 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 58 | ```KQL 59 | DeviceProcessEvents 60 | | where InitiatingProcessFileName =~ "wsmprovhost.exe" 61 | | summarize ["ProcessCommandLines"]=make_set(ProcessCommandLine), 62 | ["ProcessCommandLineCount"]=dcount(ProcessCommandLine) 63 | by FolderPath 64 | ``` 65 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process.md: -------------------------------------------------------------------------------- 1 | # *CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/04/12 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ | 17 | | T1204.002 | User Execution: Malicious File | https://attack.mitre.org/techniques/T1204/002/ | 18 | | T1059 | Command and Scripting Interpreter | https://attack.mitre.org/techniques/T1059/ | 19 | 20 | #### Description 21 | 22 | This query returns events where a script interpreter (cscript.exe, wscript.exe or mshta.exe) was executed from a Web browser process. 23 | 24 | The logic here is similar from the one from Day 11 query, however, there's one big difference. The event we're targeting here is one where the user would straight up download a script file that can get executed by cscript.exe, wscript.exe or mshta.exe on execution (e.g.: VB, VBE, VBS, JS, JSE, WS, WSE, etc.). 25 | 26 | This is typically what you would see when a user downloads such a file (e.g.: ChromeUpdate2025.js) and then open it from the Web browser interface (e.g.: click on it from the Downloads view in Google Chrome). And this is exactly how some malware still ... "behave" to this day: 27 | 28 | https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-Fake-Browser-Updates-Attacks-with/ba-p/876307 29 | 30 | #### Author 31 | - **Name:** SecurityAura 32 | - **Github:** https://github.com/SecurityAura 33 | - **Twitter:** https://x.com/SecurityAura 34 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 35 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 36 | - **LinkedIn:** Coming Soon! 37 | - **Website:** https://medium.com/@securityaura 38 | 39 | ### Queries Overview ### 40 | 41 | - Defender for Endpoint (MDE) - 1 query 42 | 43 | ## Defender XDR ## 44 | ### Defender for Endpoint (MDE) via DeviceProcessEvents ### 45 | ```KQL 46 | let ScriptInterpreters = dynamic([ 47 | "wscript.exe", 48 | "cscript.exe", 49 | "mshta.exe" 50 | ]); 51 | let WebBrowsers = dynamic([ 52 | "msedge.exe", 53 | "chrome.exe", 54 | "firefox.exe", 55 | "iexplore.exe", 56 | "brave.exe", 57 | "opera.exe" 58 | ]); 59 | DeviceProcessEvents 60 | | where FileName in~ (ScriptInterpreters) 61 | | where InitiatingProcessFileName in~ (WebBrowsers) 62 | ``` 63 | ## Microsoft Sentinel ## 64 | ### Defender for Endpoint (MDE) via DeviceProcessEvents ### 65 | ```KQL 66 | let ScriptInterpreters = dynamic([ 67 | "wscript.exe", 68 | "cscript.exe", 69 | "mshta.exe" 70 | ]); 71 | let WebBrowsers = dynamic([ 72 | "msedge.exe", 73 | "chrome.exe", 74 | "firefox.exe", 75 | "iexplore.exe", 76 | "brave.exe", 77 | "opera.exe" 78 | ]); 79 | DeviceProcessEvents 80 | | where FileName in~ (ScriptInterpreters) 81 | | where InitiatingProcessFileName in~ (WebBrowsers) 82 | ``` 83 | -------------------------------------------------------------------------------- /Defender for Endpoint/Windows Service Masquerading as Per-User Service.md: -------------------------------------------------------------------------------- 1 | # *Windows Service Masquerading as Per-User Service* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/06/08 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1569.002 | System Services: Service Execution | https://attack.mitre.org/techniques/T1569/002/ | 16 | | T1543.003 | Create or Modify System Process: Windows Service | https://attack.mitre.org/techniques/T1543/003/ | 17 | | T1036.004 | Masquerading: Masquerade Task or Service | https://attack.mitre.org/techniques/T1036/004/ | 18 | 19 | #### Description 20 | 21 | This query return ServiceInstalled for services whose name matches the naming convention used by per-user services in Windows 10+, but for which the associated service binary is not expected. 22 | 23 | Per-user services on Windows 10+ will always be associated with C:\Windows\System32\svchost.exe, except for the CredentialEnrollmentManagerUserSvc which is associated with C:\Windows\System32\CredentialEnrollmentManager.exe. Since these service names can be regex'd and their associated binary is known, we can easily craft a query that looks for services masquerading as these, which points to other binaries. 24 | 25 | False positives are possible on certain services from what I've seen, such as Realtek driver: 26 | 27 | - ServiceName = RtkUsbAD_2370 | ServiceBinPath = \SystemRoot\System32\DriverStore\FileRepository\[OMITTED]\RtUsbA64.sys 28 | 29 | #### Author 30 | - **Name:** SecurityAura 31 | - **Github:** https://github.com/SecurityAura 32 | - **Twitter:** https://x.com/SecurityAura 33 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 34 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 35 | - **LinkedIn:** Coming Soon! 36 | - **Website:** https://medium.com/@securityaura 37 | 38 | #### References 39 | 40 | - https://learn.microsoft.com/en-us/windows/application-management/per-user-services-in-windows 41 | 42 | ### Queries Overview ### 43 | 44 | - Defender for Endpoint (MDE) - 1 query 45 | 46 | ## Microsoft Defender XDR ## 47 | ### Defender for Endpoint (MDE) via DeviceEvents ### 48 | ```KQL 49 | DeviceEvents 50 | | where ActionType == "ServiceInstalled" 51 | | extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName) 52 | | where ServiceName matches regex "(?i)^[A-Za-z]+_[A-Fa-f0-9]+$" 53 | | extend ServiceBinPath = strcat(FolderPath,"\\",FileName) 54 | | where ServiceBinPath !in~ ("C:\\WINDOWS\\System32\\svchost.exe", "C:\\Windows\\System32\\CredentialEnrollmentManager.exe") 55 | ``` 56 | ## Microsoft Defender Sentinel ## 57 | ### Defender for Endpoint (MDE) via DeviceEvents ### 58 | ```KQL 59 | DeviceEvents 60 | | where ActionType == "ServiceInstalled" 61 | | extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName) 62 | | where ServiceName matches regex "(?i)^[A-Za-z]+_[A-Fa-f0-9]+$" 63 | | extend ServiceBinPath = strcat(FolderPath,"\\",FileName) 64 | | where ServiceBinPath !in~ ("C:\\WINDOWS\\System32\\svchost.exe", "C:\\Windows\\System32\\CredentialEnrollmentManager.exe") 65 | ``` 66 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 12 - Successful Sign-in to OfficeHome with ASN Enrichment.md: -------------------------------------------------------------------------------- 1 | # *Script Execution From User's Downloads Folder* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/12 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ | 17 | 18 | #### Description 19 | 20 | This query returns all successful, whether the access was granted or not, sign-ins in Entra ID for the OfficeHome (portal.office.com) application with ASN enrichment on the IP the sign-in came from. The ASN enrichment is done through GypTheCat[.]com awesome Kusto ASN Table. Once again, thank you to Matt Zorich (@reprise99) for showing me that site and resource! 21 | 22 | https://firewalliplists.gypthecat.com/kusto-tables/kusto-asn-table/ 23 | 24 | This is something you'll often see in "Attacker-in-the-middle" phishing, where a successful sign-in will be generated from an IP associated with a bad and/or mostly server hosting/colocation ASN and the associated app will be OfficeHome. See the reference(s) below. 25 | 26 | That specific behavior, while it can be changed, is still quite common/popular and therefore, can be easily detectable and/or hunted for in most environments (small, or large). 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | #### Reference(s) 38 | 39 | - https://github.com/Cloud-Architekt/AzureAD-Attack-Defense/blob/main/Adversary-in-the-Middle.md#hunting-of-officehome-application-sign-ins-by-dart-team-query 40 | - https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/ 41 | - https://jeffreyappel.nl/aitm-mfa-phishing-attacks-in-combination-with-new-microsoft-protections-2023-edt/ 42 | 43 | ### Queries Overview ### 44 | 45 | - Microsoft Sentinel - Signin (via Microsoft Entra ID) 46 | 47 | ## Microsoft Sentinel ## 48 | ### Microsoft Entra ID via SigninLogs ### 49 | ```KQL 50 | let CIDRASN = ( 51 | externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) 52 | ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] 53 | with (ignoreFirstRecord=true) 54 | ); 55 | // Taken from Matt Zorich (@reprise99) awesome website: https://learnsentinel.blog/2021/08/30/azure-sentinel-and-the-story-of-a-very-persistent-attacker/ 56 | let SuccessCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]); 57 | SigninLogs 58 | | where AppDisplayName == "OfficeHome" 59 | | where ResultType in (SuccessCodes) 60 | | evaluate ipv4_lookup(CIDRASN, IPAddress, CIDR, return_unmatched=true) 61 | ``` 62 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 10 - Virtual Drive Mounted From Archive.md: -------------------------------------------------------------------------------- 1 | # *Virtual Drive Mounted From Archive* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/10 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1204.002 | User Execution: Malicious File | https://attack.mitre.org/techniques/T1204/002/ | 17 | 18 | #### Description 19 | 20 | This query returns events where a virtual drive file, hidden inside an archive (virtual drive smuggling?), would've been mounted by a user who double-clicked on it, within that archive. 21 | 22 | When you double-click on file inside an archive without extracting it, may it be ZIP, 7z, RAR, etc. it'll be temporarily extracted in the user's %TEMP% folder and launched. The same goes for virtual drive. They'll be residing in the %TEMP% folder, underneat the folder of whatever application was used to go "inside" the archive and double-click on the virtual drive as long as it's mounted. 23 | 24 | ![image](https://github.com/user-attachments/assets/8368a363-4ab5-4aa7-9467-9a7395d60c02) 25 | 26 | Therefore, we can look for file events where a file with a "virtual drive" (or image) extension such as VHD, VHDX, VMDK, ISO, etc. is created within an extracted archive folder in the user's %TEMP% folder. 27 | 28 | PS: You may want to read this article from Palo Alto which references CVE-2023-36884 and what happened to the use of the "Temp1" folder in %TEMP%. 29 | 30 | https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/ 31 | 32 | #### Author 33 | - **Name:** SecurityAura 34 | - **Github:** https://github.com/SecurityAura 35 | - **Twitter:** https://x.com/SecurityAura 36 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 37 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 38 | - **LinkedIn:** Coming Soon! 39 | - **Website:** https://medium.com/@securityaura 40 | 41 | ### Queries Overview ### 42 | 43 | - Defender for Endpoint (MDE) - 1 query 44 | 45 | ## Defender XDR ## 46 | ### Defender for Endpoint (MDE) via DeviceFileEvents ### 47 | ```KQL 48 | let DiskImageFileExtensions = dynamic([ 49 | "iso", 50 | "img", 51 | "vhd", 52 | "vhdx", 53 | "wim" 54 | ]); 55 | DeviceFileEvents 56 | | where FolderPath matches regex @"(?i)\\Users\\[^\\]+\\AppData\\Local\\Temp\\(.*)?" 57 | | where FolderPath has_any ("7zo","Rar$",".zip","Temp1_") 58 | | extend FileExtension = split(FileName,".")[-1] 59 | | where FileExtension in~ (DiskImageFileExtensions) 60 | ``` 61 | ## Microsoft Sentinel ## 62 | ### Defender for Endpoint (MDE) via DeviceFileEvents ### 63 | ```KQL 64 | let DiskImageFileExtensions = dynamic([ 65 | "iso", 66 | "img", 67 | "vhd", 68 | "vhdx", 69 | "wim" 70 | ]); 71 | DeviceFileEvents 72 | | where FolderPath matches regex @"(?i)\\Users\\[^\\]+\\AppData\\Local\\Temp\\(.*)?" 73 | | where FolderPath has_any ("7zo","Rar$",".zip","Temp1_") 74 | | extend FileExtension = split(FileName,".")[-1] 75 | | where FileExtension in~ (DiskImageFileExtensions) 76 | ``` 77 | -------------------------------------------------------------------------------- /DFIR/OfficeActivity - MailItemsAccessed Breakdown.md: -------------------------------------------------------------------------------- 1 | # *OfficeActivity - MailItemsAccessed Breakdown* 2 | 3 | ## Description 4 | 5 | The queries below can be used to obtain information about MailItemsAccessed events from flagged IP addresses. 6 | 7 | There are two (2) types of MailAccessType: Bind and Sync. Bind events refers to single access to an email (e.g.: email viewed in OWA) while Sync events refers (technically) to the download of an email by a Microsoft Outlook client on either Windows or macOS (though this could be challenged). 8 | 9 | https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts 10 | 11 | In BEC incidents, if you want to know which emails were accessed by a threat actor, you'll want to look into and breakdown these MailItemsAccessed events. 12 | 13 | ## Prerequisite(s) # 14 | 15 | A list of IP addresses that you identified as being malicious, suspicious and/or of interest. 16 | 17 | ## Microsoft Sentinel 18 | ### Query #1 - List of emails (InternetMessageId) involved in Bind operations 19 | 20 | This query will give you the list of emails, by their unique InternetMessageId that were involved in Bind operations by UserId. You should assume, per Microsoft's documentation, that any email listed in this output has been accessed by an unauthorized third-party and therefore, leaked/exfiltrated. 21 | 22 | ```KQL 23 | let FlaggedIPs = dynamic([ 24 | "1.1.1.1", 25 | "2.2.2.2" 26 | ]); 27 | OfficeActivity 28 | | where ClientIP has_any (FlaggedIPs) 29 | or Client_IPAddress has_any (FlaggedIPs) 30 | or ActorIpAddress has_any (FlaggedIPs) 31 | | where Operation == "MailItemsAccessed" 32 | | extend MailAccessType = tostring(parse_json(OperationProperties)[0].Value) 33 | | where MailAccessType == "Bind" 34 | | extend FolderItems = parse_json(Folders) 35 | | mv-expand todynamic ( FolderItems) 36 | | mv-expand todynamic ( parse_json(FolderItems).FolderItems) 37 | | extend FolderName = tostring(parse_json(FolderItems).Path) 38 | | extend InternetMessageId = tostring(parse_json(FolderItems_FolderItems).InternetMessageId) 39 | | summarize ["Folders"]=make_set(FolderName), 40 | ["Number of Folders"]=dcount(FolderName) 41 | by InternetMessageId, UserId 42 | ``` 43 | ### Query #2 - List of Folders involved in Sync operations 44 | 45 | This query will give you the list of Folders that were involved in Sync operations by UserId. You should assume, per Microsoft's documentation, that the content of any Folder listed in this output has been fully synchronized externally and therefore, the emails exfiltrated. 46 | 47 | ```KQL 48 | let FlaggedIPs = dynamic([ 49 | "1.1.1.1", 50 | "2.2.2.2" 51 | ]); 52 | OfficeActivity 53 | | where ClientIP has_any (FlaggedIPs) 54 | or Client_IPAddress has_any (FlaggedIPs) 55 | or ActorIpAddress has_any (FlaggedIPs) 56 | | where Operation == "MailItemsAccessed" 57 | | extend MailAccessType = tostring(parse_json(OperationProperties)[0].Value) 58 | | where MailAccessType == "Sync" 59 | | extend SyncedFolderName = tostring(parse_json(parse_json(Item).ParentFolder).Name) 60 | | extend SyncedFolderPath = tostring(parse_json(parse_json(Item).ParentFolder).Path) 61 | | distinct MailAccessType, SyncedFolderName, SyncedFolderPath, UserId 62 | ``` 63 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 92 - Low Prevalence Unsigned DLL Sideloaded in AppData Folder.md: -------------------------------------------------------------------------------- 1 | # *Low Prevalence Unsigned or Invalid Signed DLL Sideloaded in AppData Folder* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/04/04 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1574.001 | Hijack Execution Flow: DLL | https://attack.mitre.org/techniques/T1574/001/ | 17 | | T1036.001 | Masquerading: Invalid Code Signature | https://attack.mitre.org/techniques/T1036/001/ | 18 | 19 | #### Description 20 | 21 | This query returns events where an unsigned DLL gets sideloaded in an AppData folder. A small twist on #100DaysOfKQL Query 18. 22 | 23 | By AppData folder, I mean a subfolder of either %LOCALAPPDATA% or %APPDATA% like so: 24 | 25 | - C:\Users\$USERNAME\AppData\Local\SomeFolder\Application.exe loading C:\Users\$USERNAME\AppData\Local\SomeFolder\Module.dll 26 | - C:\Users\$USERNAME\AppData\Roaming\SomeFolder\Application.exe loading C:\Users\$USERNAME\AppData\Roaming\SomeFolder\Module.dll 27 | 28 | This query uses the ever so popular FileProfile() to get the signature state of a file. This kind of check can be applied to multiple folders as well (winkwink Downloads folder) where malware are known to be executed initially and/or dropped early on in the infection chain. Not all payloads are signed which makes this an easy detection. 29 | 30 | #### Author 31 | - **Name:** SecurityAura 32 | - **Github:** https://github.com/SecurityAura 33 | - **Twitter:** https://x.com/SecurityAura 34 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 35 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 36 | - **LinkedIn:** Coming Soon! 37 | - **Website:** https://medium.com/@securityaura 38 | 39 | #### Reference(s) 40 | 41 | - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-fileprofile-function 42 | - https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/ 43 | - https://asec.ahnlab.com/en/64106/ 44 | 45 | ### Queries Overview ### 46 | 47 | - Microsoft Defender for Endpoint (MDE) - 1 query 48 | 49 | ## Microsoft Defender XDR ## 50 | ### Microsoft Defender for Endpoint via DeviceImageLoadEvents ### 51 | ```KQL 52 | let UnsignedLowPrevDLLs = (DeviceImageLoadEvents 53 | | where InitiatingProcessFolderPath matches regex @"(?i)C\:\\Users\\[^\\]+\\AppData\\(Local|Roaming)\\[^\\]+\\[^\\]+$" 54 | | where FolderPath matches regex @"(?i)C\:\\Users\\[^\\]+\\AppData\\(Local|Roaming)\\[^\\]+\\[^\\]+$" 55 | | where FileName endswith ".dll" 56 | | where isnotempty( SHA1) 57 | | distinct SHA1 58 | | invoke FileProfile("SHA1",1000) 59 | | where SignatureState in ("Unsigned", "SignedInvalid") 60 | | where GlobalPrevalence < 500); 61 | DeviceImageLoadEvents 62 | | where InitiatingProcessFolderPath matches regex @"(?i)C\:\\Users\\[^\\]+\\AppData\\(Local|Roaming)\\[^\\]+\\[^\\]+$" 63 | | where FolderPath matches regex @"(?i)C\:\\Users\\[^\\]+\\AppData\\(Local|Roaming)\\[^\\]+\\[^\\]+$" 64 | | where FileName endswith ".dll" 65 | | join kind=inner UnsignedLowPrevDLLs on SHA1 66 | ``` 67 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 46 - Azure Subscription Ready Email.md: -------------------------------------------------------------------------------- 1 | # *Azure Subscription Ready Email* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/02/15 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1578 | Modify Cloud Compute Infrastructure | https://attack.mitre.org/techniques/T1578/ | 17 | 18 | #### Description 19 | 20 | This query returns events where a "New Azure Subscription is ready" email is sent to a user. 21 | 22 | The actual title of this email, if I remember correctly (and based on what I could find online is): "Your Azure Subscription is ready". 23 | 24 | What's the idea behind this query? Well, when a user within a tenant creates a new Azure subscription using the free $200 credit they're "entitled" too (https://azure.microsoft.com/en-ca/pricing/purchase-options/azure-account?icid=azurefreeaccount), they'll receive an email with that subject to tell them that their new Azure Subscription is ready. 25 | 26 | While it is interesting to know if any of your users received emails because they actually went through that process themselves for whatever reason there is, do you know who also takes advantage of this? Threat Actors. In tenants where the ability to spin up new Azure Subscription is not disabled and/or restricted in some fashion, threat actors, once they compromise an account, can spin up a new Azure Subscription using that free $200 credit. From there, they've been observed spinning up resources such as VMs to conduct phishing campaigns against other organizations. And by "they've been" I mean, I also observed them doing so in a few mandates that started as BECs (Business Email Compromise). 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### References ### 38 | 39 | - https://learn.microsoft.com/en-us/microsoft-365/commerce/subscriptions/manage-self-service-signup-subscriptions?view=o365-worldwide 40 | 41 | ### Queries Overview ### 42 | 43 | - Defender for Office 365 (MDO) - 1 query 44 | 45 | ## Microsoft Defender XDR ## 46 | ### Microsoft Defender for Office 365 via EmailEvents ### 47 | ```KQL 48 | EmailEvents 49 | | where Subject =~ "Your Azure Subscription is ready" 50 | // In case the wording of this email changes overtime, you could also use a combination of these three (3) words together just in case 51 | // or Subject has_all ("Azure","Subscription","Ready") 52 | ``` 53 | ## Microsoft Sentinel ## 54 | ### Microsoft Defender for Office 365 via EmailEvents ### 55 | ```KQL 56 | EmailEvents 57 | | where Subject =~ "Your Azure Subscription is ready" 58 | // In case the wording of this email changes overtime, you could also use a combination of these three (3) words together just in case 59 | // or Subject has_all ("Azure","Subscription","Ready") 60 | ``` 61 | -------------------------------------------------------------------------------- /Defender for Endpoint/Executable File Fetched via WebDAV From External Host.md: -------------------------------------------------------------------------------- 1 | # *Executable File Fetched via WebDAV From External Host* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/06/06 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ | 16 | | T1204 | User Execution | https://attack.mitre.org/techniques/T1204/ | 17 | 18 | #### Description 19 | 20 | This query looks for WebDAV GET or PROPFIND requests to an external host targeting file with a known executable extension/format that are leveraged by threat actors or malware. This query will only hit on non-SSL WebDAV requests since it leverages the HttpConnectionInspected ActionType. Which means, it will not work against these WebDAV-campaigns that are hosted on trycloudflare[.]com. Not all WebDAV servers used to host malicious payloads have SSL enabled however. 21 | 22 | Additional file extensions can be added as needed to the regex at the end. 23 | 24 | #### Author 25 | - **Name:** SecurityAura 26 | - **Github:** https://github.com/SecurityAura 27 | - **Twitter:** https://x.com/SecurityAura 28 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 29 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 30 | - **LinkedIn:** Coming Soon! 31 | - **Website:** https://medium.com/@securityaura 32 | 33 | ### References ### 34 | 35 | - https://blog.sekoia.io/webdav-as-a-service-uncovering-the-infrastructure-behind-emmenhtal-loader-distribution/ 36 | - https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/ 37 | - https://www.proofpoint.com/au/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort 38 | - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 39 | 40 | ### Queries Overview ### 41 | 42 | - Defender for Endpoint (MDE) - 1 query 43 | 44 | ## Microsoft Defender XDR ## 45 | ### Defender for Endpoint (MDE) via DeviceNetworkEvents ### 46 | ```KQL 47 | DeviceNetworkEvents 48 | | where ActionType == "HttpConnectionInspected" 49 | | where RemoteIPType == "Public" 50 | | extend UserAgent = tostring(parse_json(AdditionalFields).user_agent) 51 | | extend URI = tostring(parse_json(AdditionalFields).uri) 52 | | extend Method = tostring(parse_json(AdditionalFields).method) 53 | | where UserAgent has "WebDAV" 54 | | where Method in ("GET","PROPFIND") 55 | | where URI matches regex @"(?i)\.(exe|bat|cmd|com|sys|ps1|dll|lnk|vb|vbs|vbe|js|jse|ws|wse|wsf|hta)$" 56 | ``` 57 | ## Microsoft Sentinel ## 58 | ### Defender for Endpoint (MDE) via DeviceNetworkEvents ### 59 | ```KQL 60 | DeviceNetworkEvents 61 | | where ActionType == "HttpConnectionInspected" 62 | | where RemoteIPType == "Public" 63 | | extend UserAgent = tostring(parse_json(AdditionalFields).user_agent) 64 | | extend URI = tostring(parse_json(AdditionalFields).uri) 65 | | extend Method = tostring(parse_json(AdditionalFields).method) 66 | | where UserAgent has "WebDAV" 67 | | where Method in ("GET","PROPFIND") 68 | | where URI matches regex @"(?i)\.(exe|bat|cmd|com|sys|ps1|dll|lnk|vb|vbs|vbe|js|jse|ws|wse|wsf|hta)$" 69 | ``` 70 | -------------------------------------------------------------------------------- /Defender for Endpoint/ExternalData - Network Connection to LOTS Project Domain.md: -------------------------------------------------------------------------------- 1 | # *ExternalData - Network Connection to LOTS Project Domain* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/07/21 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | N/A | N/A | N/A | 16 | 17 | #### Description 18 | 19 | As of 2025/07/21 the reworked LOTS Project CSV is still a WIP, but this is a basic query to leverage it without any filters (conditions). 20 | 21 | I'll put out more queries once I have reworked the CSV. 22 | 23 | All credits for the original LOTS-Project goes to the one and only @mrd0x, on top of all the contributors who submitted domains/sites over the years. 24 | 25 | https://lots-project.com/ 26 | 27 | #### Author 28 | - **Name:** SecurityAura 29 | - **Github:** https://github.com/SecurityAura 30 | - **Twitter:** https://x.com/SecurityAura 31 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 32 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 33 | - **LinkedIn:** Coming Soon! 34 | - **Website:** https://medium.com/@securityaura 35 | 36 | ### Queries Overview ### 37 | 38 | - Defender for Endpoint (MDE) - 1 query 39 | 40 | ## Defender XDR ## 41 | ### Defender for Endpoint (MDE) via DeviceNetworkEvents ### 42 | ```KQL 43 | let LOTS = externaldata(Website: string, Tags: string, ServiceProvider: string, Created: date, LastUpdate: date, Credits: string) 44 | [@"https://raw.githubusercontent.com/SecurityAura/DE-TH-Aura/refs/heads/main/Data%20Sources/LOTS-Project-Rework/LOTS-Project-Rework.csv"] 45 | with (format=csv) 46 | | extend Website = iff (Website startswith "*.", trim_start(@'\*\.', Website), Website) 47 | | distinct Website; 48 | DeviceNetworkEvents 49 | | extend Domain = case( ActionType in ("ConnectionSuccess","ConnectionFailed"), RemoteUrl, 50 | ActionType == "HttpConnectionInspected", tostring(parse_json(AdditionalFields).host), 51 | ActionType == "DnsConnectionInspected", tostring(parse_json(AdditionalFields).query), 52 | "") 53 | | where Domain has_any (LOTS) 54 | | project-reorder Timestamp, DeviceName, ActionType, Domain 55 | ``` 56 | ## Microsoft Sentinel ## 57 | ### Defender for Endpoint (MDE) via DeviceNetworkEvents ### 58 | ```KQL 59 | let LOTS = externaldata(Website: string, Tags: string, ServiceProvider: string, Created: date, LastUpdate: date, Credits: string) 60 | [@"https://raw.githubusercontent.com/SecurityAura/DE-TH-Aura/refs/heads/main/Data%20Sources/LOTS-Project-Rework/LOTS-Project-Rework.csv"] 61 | with (format=csv) 62 | | extend Website = iff (Website startswith "*.", trim_start(@'\*\.', Website), Website) 63 | | distinct Website; 64 | DeviceNetworkEvents 65 | | extend Domain = case( ActionType in ("ConnectionSuccess","ConnectionFailed"), RemoteUrl, 66 | ActionType == "HttpConnectionInspected", AdditionalFields.host, 67 | ActionType == "DnsConnectionInspected", AdditionalFields.query, 68 | "") 69 | | where Domain has_any (LOTS) 70 | | project-reorder TimeGenerated, DeviceName, ActionType, Domain 71 | ``` 72 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 98 - Execution from a Low Prevalence, Non-Signed or Invalidly Signed Binary from C:\Windows.md: -------------------------------------------------------------------------------- 1 | # *Execution from a Low Prevalence, Non-Signed or Invalidly Signed Binary from C:\Windows* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/04/10 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1036.001 | Masquerading: Invalid Code Signature | https://attack.mitre.org/techniques/T1036/001/ | 17 | 18 | #### Description 19 | 20 | This query returns events where low prevalence, non-signed or invalidly signed binary is executed from the C:\Windows folder. 21 | 22 | The reasoning behind this query is simple: catch unknown binary files that are executed remotely in a PsExec-like way on Windows. Since most of these, such as the ones launched by PsExec.exe -c, will end up being dropped and executed from the C:\Windows folder, which should only have known, trusted and signed binaries in it (I'll remove my rose colored-glasses after hitting Commit on this page), this query should highlight the outliers. 23 | 24 | Obviously this query will not trigger on prevalent and signed files (e.g.: tools) that could be abused by threat actors. 25 | 26 | These queries are only available in Defender XDR (Advanced Hunting) since they rely on FileProfile(). 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### Queries Overview ### 38 | 39 | - Microsoft Defender for Endpoint (MDE) - 1 query 40 | 41 | ## Microsoft Defender XDR ## 42 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 43 | ```KQL 44 | // Threshold-based rule, which mean that you should adjust this value to one that fits your environment and needs 45 | let GlobalPrevalenceThreshold = 500; 46 | DeviceProcessEvents 47 | | where FolderPath matches regex @"(?i)C\:\\WINDOWS\\[^\\]+$" 48 | | summarize ["Devices"]=make_set(DeviceName), 49 | ["DeviceCount"]=dcount(DeviceName) 50 | by FolderPath, SHA1 51 | | invoke FileProfile("SHA1",1000) 52 | | where GlobalPrevalence < GlobalPrevalenceThreshold 53 | or SignatureState in ("Unsigned", "SignedInvalid") 54 | ``` 55 | ## Microsoft Defender XDR ## 56 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 57 | ```KQL 58 | // Threshold-based rule, which mean that you should adjust this value to one that fits your environment and needs 59 | let GlobalPrevalenceThreshold = 500; 60 | DeviceProcessEvents 61 | | where FolderPath matches regex @"(?i)C\:\\WINDOWS\\[^\\]+$" 62 | | summarize ["Devices"]=make_set(DeviceName), 63 | ["DeviceCount"]=dcount(DeviceName) 64 | by FolderPath, SHA1 65 | | invoke FileProfile("SHA1",1000) 66 | | where GlobalPrevalence < GlobalPrevalenceThreshold 67 | or SignatureState in ("Unsigned", "SignedInvalid") 68 | ``` 69 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 36 - 7-Zip or WinRAR Used With Password-Protected Archives.md: -------------------------------------------------------------------------------- 1 | # *7-Zip or WinRAR Used With Password-Protected Archives* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/02/05 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1560.001 | Archive Collected Data: Archive via Utility | https://attack.mitre.org/techniques/T1560/001/ | 17 | 18 | #### Description 19 | 20 | These queries returns events where 7-Zip or WinRAR is seen interacting with a password-protected archive based on the use of the "password" parameter. 21 | 22 | It is no secret that threat actors likes to use archives, may it be for ingress (pull payloads or additional tools in a network) or egress (data exfil). Sometimes, they'll even password-protect these archives to protect them against prying eyes. For instance, prevent incident responders from grabbing an archive with their tools, scripts or payloads. Or prevent these same incident responders from being able to extract the content of an archive they created which hold data (e.g.: files) they collected from a system. Or even ... simply "ransom" companies using password-protected archives (https://news.sophos.com/en-us/2021/11/18/new-ransomware-actor-uses-password-protected-archives-to-bypass-encryption-protection/). 23 | 24 | All in all, interacting with password-protected archives from the command line using 7-Zip or WinRAR may be unusual in some environments. Therefore, hunting or detecting this kind of activity could help you detect threat actors (or even malware) in your network going around, playing with these archives. 25 | 26 | The good news is that, if you're able to detect this activity, it also means that you have the archive password in the event (telemetry). So if you can get your hands on whatever archive was involved, you can get its content by using the password. 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### Queries Overview ### 38 | 39 | - Defender for Endpoint (MDE) - 1 query 40 | 41 | ## Microsoft Defender XDR ## 42 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 43 | ```KQL 44 | DeviceProcessEvents 45 | | where (FileName in~ ("7z.exe","7zr.exe","7za.exe") 46 | and ProcessCommandLine contains " -p" 47 | and ProcessCommandLine has_any (" a "," x ")) 48 | or (FileName in~ ("WinRAR.exe","RAR.exe") and ProcessCommandLine has_all ("a","-p")) 49 | ``` 50 | ## Microsoft Sentinel ## 51 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 52 | ```KQL 53 | DeviceProcessEvents 54 | | where (FileName in~ ("7z.exe","7zr.exe","7za.exe") 55 | and ProcessCommandLine contains " -p" 56 | and ProcessCommandLine has_any (" a "," x ")) 57 | or (FileName in~ ("WinRAR.exe","RAR.exe") and ProcessCommandLine has_all ("a","-p")) 58 | ``` 59 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 76 - Cloudflared Usage.md: -------------------------------------------------------------------------------- 1 | # *Cloudflared Usage* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/18 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1572 | Protocol Tunneling | https://attack.mitre.org/techniques/T1572/ | 17 | | T1090 | Proxy | https://attack.mitre.org/techniques/T1090/ | 18 | 19 | #### Description 20 | 21 | This query returns events where cloudflared was observed through various means. 22 | 23 | Cloudflared is a legitimate reverse proxy tool that can be used to create secure tunnels and whose main purpose is basically to expose endpoints and applications so that they can be used externally. The way the threat actors use it however, is also to set up reverse tunnels so that they can then remotely connect to these internal endpoints externally. One of their common use case is to setup a cloudflared agent on a compromised system and from the tunnel that has been set up, RDP into that system. Which is much more confortable to work with when you have access to a GUI at this point. 24 | 25 | Sadly, the Cloudflared binary has no metadata associated to it, so it needs to be targeted by its default file name and/or process command line arguments. 26 | 27 | #### Author 28 | - **Name:** SecurityAura 29 | - **Github:** https://github.com/SecurityAura 30 | - **Twitter:** https://x.com/SecurityAura 31 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 32 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 33 | - **LinkedIn:** Coming Soon! 34 | - **Website:** https://medium.com/@securityaura 35 | 36 | ### References ### 37 | 38 | - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a 39 | - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a 40 | - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/ 41 | 42 | ### Queries Overview ### 43 | 44 | - Defender for Endpoint (MDE) - 1 query 45 | 46 | ## Microsoft Defender XDR ## 47 | ### Microsoft Defender for Endpoint via union DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents ### 48 | ```KQL 49 | union DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents 50 | | where FileName has "cloudflared" 51 | or InitiatingProcessFilename has "cloudflared" 52 | or ProcessCommandLine has_all ("tunnel", "run", "--token") 53 | or InitiatingProcessCommandLine has_all ("tunnel", "run", "--token") 54 | ``` 55 | ## Microsoft Sentinel ## 56 | ### Microsoft Defender for Endpoint via union DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents ### 57 | ```KQL 58 | union DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents 59 | | where FileName has "cloudflared" 60 | or InitiatingProcessFilename has "cloudflared" 61 | or ProcessCommandLine has_all ("tunnel", "run", "--token") 62 | or InitiatingProcessCommandLine has_all ("tunnel", "run", "--token") 63 | ``` 64 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 47 - Credential Discovery Activity Through findstr.exe and reg.exe.md: -------------------------------------------------------------------------------- 1 | # *Credential Discovery Activity Through findstr.exe and reg.exe* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/02/16 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1552.001 | Unsecured Credentials: Credentials In Files | https://attack.mitre.org/techniques/T1552/001/ | 17 | | T1552.002 | Unsecured Credentials: Credentials In Registry | https://attack.mitre.org/techniques/T1552/002/ | 18 | 19 | #### Description 20 | 21 | This query returns events where findstr.exe (for files, folders, etc.) and reg.exe (for the Registry) are potentially being used to search for credentials (passwords, secrets, keys, etc.). 22 | 23 | This query is as simple as it sounds: some malware, or most often, threat actor, trying to look for these "low-hanging" fruits credentials using findstr.exe and reg.exe. They'll search for patterns such as: pass, password, secret, key, etc. in hope of finding these unsecured credentials that will allow them to get their hands on other, and hopefully (for them), more privileged accounts. 24 | 25 | Probably one of easiest way to look for these old, legacy cPasswords that hadn't been removed from Group Policy Preferences (GPP) files in Sysvol as well. 26 | 27 | You can add any interesting string to be alerted on (or returned as result) in this query as well. There may be an overlap with Defender for Endpoint (MDE) built-in detections however, as I've seen alerts triggering by simple findstr.exe for "password" in the past. 28 | 29 | #### Author 30 | - **Name:** SecurityAura 31 | - **Github:** https://github.com/SecurityAura 32 | - **Twitter:** https://x.com/SecurityAura 33 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 34 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 35 | - **LinkedIn:** Coming Soon! 36 | - **Website:** https://medium.com/@securityaura 37 | 38 | ### Queries Overview ### 39 | 40 | - Defender for Endpoint (MDE) - 1 query 41 | 42 | ## Microsoft Defender XDR ## 43 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 44 | ```KQL 45 | let InterestingStrings = dynamic([ 46 | "pass", 47 | "password", 48 | "passwords", 49 | "secret", 50 | "secrets", 51 | "key", 52 | "keys", 53 | "creds", 54 | "credential", 55 | "credentials" 56 | ]); 57 | DeviceProcessEvents 58 | | where FileName =~ "findstr.exe" 59 | or (FileName =~ "reg.exe" and ProcessCommandLine has " query ") 60 | | where ProcessCommandLine has_any (InterestingStrings) 61 | ``` 62 | ## Microsoft Sentinel ## 63 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 64 | ```KQL 65 | let InterestingStrings = dynamic([ 66 | "pass", 67 | "password", 68 | "passwords", 69 | "secret", 70 | "secrets", 71 | "key", 72 | "keys", 73 | "creds", 74 | "credential", 75 | "credentials" 76 | ]); 77 | DeviceProcessEvents 78 | | where FileName =~ "findstr.exe" 79 | or (FileName =~ "reg.exe" and ProcessCommandLine has " query ") 80 | | where ProcessCommandLine has_any (InterestingStrings) 81 | ``` 82 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 6 - Files Potentially Holding Sensitive Information (MDE).md: -------------------------------------------------------------------------------- 1 | # *Files Potentially Holding Sensitive Information (MDE)* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/06 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1552.001 | Unsecured Credentials: Credentials In Files | https://attack.mitre.org/techniques/T1552/001/ | 17 | 18 | #### Description 19 | 20 | A query similar to the one shared on Day 4 of #100DaysOfKQL, but for file-based activity. You can define a list of sensitive strings (e.g.: pass, password, passwords, etc.) and look for files that have these strings. 21 | 22 | You can also define which kind of files you're looking for, based on their extension (e.g.: DOC, DOCX, TXT, etc.). 23 | 24 | This query can help identify potentially unsecured files that may hold sensitive information such as: credentials, secrets, API tokens and the likes. Files that a threat actor could find as well when running basic searches for files with these strings. 25 | 26 | #### Author 27 | - **Name:** SecurityAura 28 | - **Github:** https://github.com/SecurityAura 29 | - **Twitter:** https://x.com/SecurityAura 30 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 31 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 32 | - **LinkedIn:** Coming Soon! 33 | - **Website:** https://medium.com/@securityaura 34 | 35 | ### Queries Overview ### 36 | 37 | - Defender for Endpoint (MDE) - 1 query 38 | 39 | ## Defender XDR ## 40 | ### Defender for Endpoint (MDE) via DeviceFileEvents ### 41 | ```KQL 42 | // You can add interesting filename strings as needed 43 | let FileNameStrings = dynamic([ 44 | "pass", 45 | "password", 46 | "passwords", 47 | "cred", 48 | "creds", 49 | "credential", 50 | "credentials", 51 | "secret", 52 | "secrets", 53 | "keys" 54 | ]); 55 | // You can add file extensions you may be looking for as needed 56 | let FileExtensions = dynamic([ 57 | "txt", 58 | "doc", 59 | "docx", 60 | "bat", 61 | "cmd", 62 | "ps1", 63 | "rtf", 64 | "png", 65 | "jpg", 66 | "jpeg" 67 | ]); 68 | DeviceFileEvents 69 | | where FileName has_any (FileNameStrings) 70 | | extend FileExtension = split(FileName,".")[-1] 71 | | where FileExtension in~ (FileExtensions) 72 | ``` 73 | ## Microsoft Sentinel ## 74 | ### Defender for Endpoint (MDE) via DeviceFileEvents ### 75 | ```KQL 76 | // You can add interesting filename strings as needed 77 | let FileNameStrings = dynamic([ 78 | "pass", 79 | "password", 80 | "passwords", 81 | "cred", 82 | "creds", 83 | "credential", 84 | "credentials", 85 | "secret", 86 | "secrets", 87 | "keys" 88 | ]); 89 | // You can add file extensions you may be looking for as needed 90 | let FileExtensions = dynamic([ 91 | "txt", 92 | "doc", 93 | "docx", 94 | "bat", 95 | "cmd", 96 | "ps1", 97 | "rtf", 98 | "png", 99 | "jpg", 100 | "jpeg" 101 | ]); 102 | DeviceFileEvents 103 | | where FileName has_any (FileNameStrings) 104 | | extend FileExtension = split(FileName,".")[-1] 105 | | where FileExtension in~ (FileExtensions) 106 | ``` 107 | -------------------------------------------------------------------------------- /Defender for Endpoint/evil-winrm-py - File Upload and Download.md: -------------------------------------------------------------------------------- 1 | # *evil-winrm-py - File Upload and Download.md* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/06/04 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1021.006 | Remote Services: Windows Remote Management | https://attack.mitre.org/techniques/T1021/006/ | 16 | 17 | #### Description 18 | 19 | This query looks for potential file upload and/or download activity originating from evil-winrm-py (https://github.com/adityatelange/evil-winrm-py) by @adityatelange (on Twitter/X) 20 | 21 | These static detections are possible because of the underlying send.ps1 script and run_ps Python method that is used, which executes PowerShell commands. 22 | 23 | When downloading a file via evil-winrm-py (e.g.: download C:\Temp\FileToExfil.txt /tmp ), a Resolve-Path PowerShell command will be executed against that target file. Which is interesting because it'll precisely identify which file was downloaded. 24 | 25 | As for the file upload, through send.ps1, the [System.IO.Path]::GetTempFileName() call is used to get a temporary filename (e.g.: tmp1234E.tmp, which is basically tmp*.tmp) to drop it in the temp location first (e.g.: %TEMP%) before moving it to the destination passed to the upload command. 26 | 27 | For both operations, the process involved is wsmprovhost.exe. Which means, there is a possibility to widen these queries for other kind of WinRM abuse should other tools be used. 28 | 29 | The inspiration for these queries is @TJ_Null (on Twitter/X) when he tweeted about that tool (https://x.com/TJ_Null/status/1930272511326933310). All credits goes to him for that. And @adityatelange for the tool! 30 | 31 | #### Author 32 | - **Name:** SecurityAura 33 | - **Github:** https://github.com/SecurityAura 34 | - **Twitter:** https://x.com/SecurityAura 35 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 36 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 37 | - **LinkedIn:** Coming Soon! 38 | - **Website:** https://medium.com/@securityaura 39 | 40 | ### Queries Overview ### 41 | 42 | - Defender for Endpoint (MDE) - 2 queries 43 | 44 | ## Defender XDR ## 45 | ### Defender for Endpoint (MDE) via DeviceFileEvents - File Upload ### 46 | ```KQL 47 | DeviceFileEvents 48 | | where InitiatingProcessFileName =~ "wsmprovhost.exe" 49 | | where PreviousFileName matches regex @"(?i)tmp[A-Za-z0-9]+\.tmp" 50 | ``` 51 | ### Defender for Endpoint (MDE) via DeviceEvents - File Download ### 52 | ```KQL 53 | DeviceEvents 54 | | where ActionType == "PowerShellCommand" 55 | | where InitiatingProcessFileName =~ "wsmprovhost.exe" 56 | | where AdditionalFields has "Resolve-Path 57 | ``` 58 | ## Microsoft Sentinel ## 59 | ### Defender for Endpoint (MDE) via DeviceFileEvents - File Upload ### 60 | ```KQL 61 | DeviceFileEvents 62 | | where InitiatingProcessFileName =~ "wsmprovhost.exe" 63 | | where PreviousFileName matches regex @"(?i)tmp[A-Za-z0-9]+\.tmp" 64 | ``` 65 | ### Defender for Endpoint (MDE) via DeviceEvents - File Download ### 66 | ```KQL 67 | DeviceEvents 68 | | where ActionType == "PowerShellCommand" 69 | | where InitiatingProcessFileName =~ "wsmprovhost.exe" 70 | | where AdditionalFields has "Resolve-Path 71 | ``` 72 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 14 - Potential Tunneled RDP Session.md: -------------------------------------------------------------------------------- 1 | # *Potential Tunneled RDP Session* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/14 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1021.001 | Remote Services: Remote Desktop Protocol | https://attack.mitre.org/techniques/T1021/001/ | 17 | | T1572 | Protocol Tunneling | https://attack.mitre.org/techniques/T1572/ | 18 | 19 | #### Description 20 | 21 | This query return events where a RDP session may have been opened through a tunnel, set-up with tools such as plink and ngrok, or built-in binaries such as SSH on a Windows host. 22 | 23 | Identification of these session come from the distinct IP address that is present in these logon events, namely: 24 | 25 | - 127.0.0.1 26 | - ::1 27 | - ::%16777216 28 | 29 | The last one is quite distinctive when the RDP session is opened through a ngrok tunnel. See the tweet below from Stephan Berger (@malmoeb), in which I was also tagged back then (feelold.png). 30 | 31 | https://x.com/malmoeb/status/1519710302820089857?lang=ar-x-fm 32 | 33 | #### Author 34 | - **Name:** SecurityAura 35 | - **Github:** https://github.com/SecurityAura 36 | - **Twitter:** https://x.com/SecurityAura 37 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 38 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 39 | - **LinkedIn:** Coming Soon! 40 | - **Website:** https://medium.com/@securityaura 41 | 42 | #### Reference(s) 43 | 44 | - https://x.com/malmoeb/status/1519710302820089857?lang=ar-x-fm 45 | - https://www.logpoint.com/en/blog/a-deep-look-at-the-darkside-ransomware-operators-and-their-affiliates/ 46 | - https://news.sophos.com/en-us/2022/07/14/rapid-response-the-ngrok-incident-guide/ 47 | - https://cloud.google.com/blog/topics/threat-intelligence/bypassing-network-restrictions-through-rdp-tunneling 48 | 49 | ### Queries Overview ### 50 | 51 | - Microsoft Defender for Endpoint (MDE) - 1 query 52 | - Microsoft Sentinel (SecurityEvents) - 1 query 53 | - Microsoft Sentinel (Microsoft-Windows-TerminalServices-LocalSessionManager/Operational) - 1 query 54 | 55 | ## Defender XDR ## 56 | ### Microsoft Defender for Endpoint via DeviceLogonEvents ### 57 | ```KQL 58 | DeviceLogonEvents 59 | | where LogonType == "RemoteInteractive" 60 | | where RemoteIP in ("127.0.0.1","::1","::%16777216") 61 | ``` 62 | ## Microsoft Sentinel ## 63 | ### Microsoft Defender for Endpoint via DeviceLogonEvents ### 64 | ```KQL 65 | DeviceLogonEvents 66 | | where LogonType == "RemoteInteractive" 67 | | where RemoteIP in ("127.0.0.1","::1","::%16777216") 68 | ``` 69 | ### Microsoft Sentinel via SecurityEvents (Event ID 4624) ### 70 | ```KQL 71 | SecurityEvent 72 | | where EventID == "4624" 73 | | where LogonType == "10" 74 | | where IpAddress in ("127.0.0.1","::1","::%16777216") 75 | ``` 76 | ### Microsoft Sentinel via Microsoft-Windows-TerminalServices-LocalSessionManager/Operational (Event ID 21 to 25) 77 | ```KQL 78 | Event 79 | | where Source == "Microsoft-Windows-TerminalServices-LocalSessionManager" 80 | | where EventID in ("21","22","23","24","25") 81 | | where ParameterXml has_any ("127.0.0.1","::1","::%16777216") 82 | ``` 83 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 19 - Summarized Defender for Endpoint AntivirusDetection By Endpoint.md: -------------------------------------------------------------------------------- 1 | # *Summarized Defender for Endpoint AntivirusDetection By Endpoint* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/01 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/19 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | N/A | N/A | N/A | 17 | 18 | 19 | #### Description 20 | 21 | This query returns a summarized list of AntivirusDetections events by DeviceName, with highlighted (read: interesting) properties to look at. 22 | 23 | This is more of an ... investigative kind of query as well when you want to get an idea of how many threats were detected in X days in an environment and maybe even identify the devices with the most detection. 24 | 25 | It's also a good example for the bag_pack() KQL function, showing how you can create an arbitrary dynamic object with properties (fields) of your choosing. There are many more fields that can be added and/or formatted directly this query's bag_pack(). Hopefully it'll serve as a good base for you to start playing with it! 26 | 27 | #### Author 28 | - **Name:** SecurityAura 29 | - **Github:** https://github.com/SecurityAura 30 | - **Twitter:** https://x.com/SecurityAura 31 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 32 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 33 | - **LinkedIn:** Coming Soon! 34 | - **Website:** https://medium.com/@securityaura 35 | 36 | #### Reference(s) 37 | 38 | - https://learn.microsoft.com/en-us/kusto/query/pack-function?view=microsoft-sentinel 39 | 40 | ### Queries Overview ### 41 | 42 | - Microsoft Defender for Endpoint (MDE) - 1 query 43 | 44 | ## Microsoft Defender XDR ## 45 | ### Microsoft Defender for Endpoint via DeviceEvents ### 46 | ```KQL 47 | DeviceEvents 48 | | where ActionType == "AntivirusDetection" 49 | | extend ThreatName = tostring(parse_json(AdditionalFields).ThreatName) 50 | | extend DetectedObject = strcat(FolderPath,"\\",FileName) 51 | | extend ThreatDetails = bag_pack( 52 | "ThreatName", ThreatName, 53 | "DetectedObject", DetectedObject, 54 | "DetectedObjectOrigin", FileOriginUrl, 55 | "InitiatingProcess", InitiatingProcessFolderPath, 56 | "InitiatingProcessCommandLine", InitiatingProcessCommandLine 57 | ) 58 | | summarize ["Threats"]=make_set(ThreatDetails), 59 | ["ThreatsCount"]=dcount(tostring(ThreatDetails)) 60 | by DeviceName 61 | ``` 62 | ## Microsoft Sentinel ## 63 | ### Microsoft Defender for Endpoint via DeviceEvents ### 64 | ```KQL 65 | DeviceEvents 66 | | where ActionType == "AntivirusDetection" 67 | | extend ThreatName = tostring(parse_json(AdditionalFields).ThreatName) 68 | | extend DetectedObject = strcat(FolderPath,"\\",FileName) 69 | | extend ThreatDetails = bag_pack( 70 | "ThreatName", ThreatName, 71 | "DetectedObject", DetectedObject, 72 | "DetectedObjectOrigin", FileOriginUrl, 73 | "InitiatingProcess", InitiatingProcessFolderPath, 74 | "InitiatingProcessCommandLine", InitiatingProcessCommandLine 75 | ) 76 | | summarize ["Threats"]=make_set(ThreatDetails), 77 | ["ThreatsCount"]=dcount(tostring(ThreatDetails)) 78 | by DeviceName 79 | ``` 80 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 63 - File Added to Startup Folder.md: -------------------------------------------------------------------------------- 1 | # *File Added to Startup Folder* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/04 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | https://attack.mitre.org/techniques/T1547/001/ | 17 | 18 | #### Description 19 | 20 | This query returns events where a file was added to Windows' Startup folder, may it be for all users (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup) or a specific user (%AppData%\Microsoft\Windows\Start Menu\Programs\Startup). 21 | 22 | A few years back, adding a file in the Startup folder to kick-off a malware and/or process used to be all the rage with commodity malware. It seems to be less common these days, but it can still be seen in certain malware families. 23 | 24 | Depending on the environment, it should be pretty quick to see whether a file that gets created in a Startup folder is legitimate or not. Even more depending on the extension it has. For instance, script files such as PS1 and CMD/BAT are suspicious, but so are JS, JSE, WS, WSE, etc. 25 | 26 | Nowaday, with LNKs being abused for all kind of things, including being dropped in Startup folders, they also should not be overlooked. 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### Queries Overview ### 38 | 39 | - Defender for Endpoint (MDE) - 1 query 40 | 41 | ## Microsoft Defender XDR ## 42 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 43 | ```KQL 44 | DeviceFileEvents 45 | | extend FileExtension = tostring(split(FileName,".")[-1]) 46 | | where FolderPath matches regex @'(?i)\\Microsoft\\Windows\\Start\ Menu\\Programs\\Startup\\(.*)?' 47 | // We "normalize" the FolderPath if it's a single user one (C:\Users\USERNAME\AppData\[...]) to assist in our summarization (clustering) 48 | | extend NormalizedFolderPath = replace(@'(?i)C\:\\Users\\[^\\]+\\',@"C:\Users\USERNAME\",FolderPath) 49 | | summarize ["Devices"]=make_set(DeviceName), 50 | ["Number of Devices"]=dcount(DeviceName) 51 | by NormalizedFolderPath 52 | ``` 53 | ## Microsoft Sentinel ## 54 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 55 | ```KQL 56 | DeviceFileEvents 57 | | extend FileExtension = tostring(split(FileName,".")[-1]) 58 | | where FolderPath matches regex @'(?i)\\Microsoft\\Windows\\Start\ Menu\\Programs\\Startup\\(.*)?' 59 | // We "normalize" the FolderPath if it's a single user one (C:\Users\USERNAME\AppData\[...]) to assist in our summarization (clustering) 60 | | extend NormalizedFolderPath = replace(@'(?i)C\:\\Users\\[^\\]+\\',@"C:\Users\USERNAME\",FolderPath) 61 | | summarize ["Devices"]=make_set(DeviceName), 62 | ["Number of Devices"]=dcount(DeviceName) 63 | by NormalizedFolderPath 64 | ``` 65 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 82 - File Downloaded from Uncommon TLD.md: -------------------------------------------------------------------------------- 1 | # *File Downloaded from Uncommon TLD* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/24 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | N/A | N/A | N/A | 17 | 18 | #### Description 19 | 20 | DISCLAIMER - I have to post this query quickly today. I'll comeback to it and update it with more information later on. 21 | 22 | This query returns events where a file was most likely downloaded from a site/domain with an uncommon TLD. 23 | 24 | Exploratory query that you can use to get events where an executable or archive, based on a dynamic variable, was most likely downloaded (in a user's Downloads folder) from a site/domain with an uncommon TLD (defined in a regex). You can adjust the file extensions you want to target and also which TLDs you want to define as "not" uncommon (e.g.: COM, NET, ORG, etc.) 25 | 26 | A nice, little, fun query to explore a bit where your users are downloading files from. 27 | 28 | #### Author 29 | - **Name:** SecurityAura 30 | - **Github:** https://github.com/SecurityAura 31 | - **Twitter:** https://x.com/SecurityAura 32 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 33 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 34 | - **LinkedIn:** Coming Soon! 35 | - **Website:** https://medium.com/@securityaura 36 | 37 | ### Queries Overview ### 38 | 39 | - Defender for Endpoint (MDE) - 1 query 40 | 41 | ## Microsoft Defender XDR ## 42 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 43 | ```KQL 44 | // Add or remove extensions as needed 45 | let TargetedExtensions = dynamic([ 46 | "exe", 47 | "dll", 48 | "ps1", 49 | "cmd", 50 | "bat", 51 | "zip" 52 | ]); 53 | DeviceFileEvents 54 | | where FolderPath matches regex @"(?i)\\Users\\[^\\]+\\Downloads\\(.*)?" 55 | | extend FileExtension = split(FileName,".")[-1] 56 | | where FileExtension in~ (TargetedExtensions) 57 | | where isnotempty( FileOriginUrl) 58 | | where not (FileOriginUrl has_any ("file:///", "about:internet")) 59 | | extend RootDomain = extract(@"[^.]+\.[^.]+$",0, extract(@"^(?:https?://)?([^/]+)",1,FileOriginUrl)) 60 | | extend DomainTLD = tostring(split(RootDomain,".")[-1]) 61 | // Add or remove TLDs as needed 62 | | where not (DomainTLD matches regex "(ca|com|net|org)") 63 | ``` 64 | ## Microsoft Sentinel ## 65 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 66 | ```KQL 67 | // Add or remove extensions as needed 68 | let TargetedExtensions = dynamic([ 69 | "exe", 70 | "dll", 71 | "ps1", 72 | "cmd", 73 | "bat", 74 | "zip" 75 | ]); 76 | DeviceFileEvents 77 | | where FolderPath matches regex @"(?i)\\Users\\[^\\]+\\Downloads\\(.*)?" 78 | | extend FileExtension = split(FileName,".")[-1] 79 | | where FileExtension in~ (TargetedExtensions) 80 | | where isnotempty( FileOriginUrl) 81 | | where not (FileOriginUrl has_any ("file:///", "about:internet")) 82 | | extend RootDomain = extract(@"[^.]+\.[^.]+$",0, extract(@"^(?:https?://)?([^/]+)",1,FileOriginUrl)) 83 | // Add or remove TLDs as needed 84 | | extend DomainTLD = tostring(split(RootDomain,".")[-1]) 85 | | where not (DomainTLD matches regex "(ca|com|net|org)") 86 | ``` 87 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 67 - Potential Discovery via PowerShell Test-Connection and Test-NetConnection.md: -------------------------------------------------------------------------------- 1 | # *Potential Discovery via PowerShell Test-Connection and Test-NetConnection* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/08 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ | 17 | | T1046 | Network Service Discovery | https://attack.mitre.org/techniques/T1046/ | 18 | 19 | #### Description 20 | 21 | DISCLAIMER - I'm currently sick and fighting sleepiness as I post this. As usual, I'll enhance that page with more information when I get better/get back. For now, consider this as a hunting query. 22 | 23 | This query returns events where the Test-Connection or Test-NetConnection PowerShell cmdlet has been used. 24 | 25 | PS: For more immediate context, these cmdlets have been observed being used in "homemade" discovery commands and/or PowerShell scripts by threat actors. 26 | - **Name:** SecurityAura 27 | - **Github:** https://github.com/SecurityAura 28 | - **Twitter:** https://x.com/SecurityAura 29 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 30 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 31 | - **LinkedIn:** Coming Soon! 32 | - **Website:** https://medium.com/@securityaura 33 | 34 | ### References ### 35 | 36 | - https://unit42.paloaltonetworks.com/thanos-ransomware/ 37 | 38 | ### Queries Overview ### 39 | 40 | - Defender for Endpoint (MDE) - 3 queries 41 | 42 | ## Microsoft Defender XDR ## 43 | ### Microsoft Defender for Endpoint via DeviceEvents ### 44 | ```KQL 45 | DeviceEvents 46 | | where ActionType == "PowerShellCommand" 47 | | extend Command = tostring(parse_json(AdditionalFields).Command) 48 | | where Command has_any ("Test-Connection","Test-NetConnection") 49 | ``` 50 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 51 | ```KQL 52 | DeviceProcessEvents 53 | | where FileName in~ ("powershell.exe","pwsh.exe") 54 | | where ProcessCommandLine has_any ("Test-Connection","Test-NetConnection") 55 | ``` 56 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 57 | ```KQL 58 | DeviceNetworkEvents 59 | | where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe") 60 | | where InitiatingProcessCommandLine has_any ("Test-Connection","Test-NetConnection") 61 | ``` 62 | ## Microsoft Sentinel ## 63 | ### Microsoft Defender for Endpoint via DeviceEvents ### 64 | ```KQL 65 | DeviceEvents 66 | | where ActionType == "PowerShellCommand" 67 | | extend Command = tostring(parse_json(AdditionalFields).Command) 68 | | where Command has_any ("Test-Connection","Test-NetConnection") 69 | ``` 70 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 71 | ```KQL 72 | DeviceProcessEvents 73 | | where FileName in~ ("powershell.exe","pwsh.exe") 74 | | where ProcessCommandLine has_any ("Test-Connection","Test-NetConnection") 75 | ``` 76 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 77 | ```KQL 78 | DeviceNetworkEvents 79 | | where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe") 80 | | where InitiatingProcessCommandLine has_any ("Test-Connection","Test-NetConnection") 81 | ``` 82 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 62 - PortableApps Application Observed.md: -------------------------------------------------------------------------------- 1 | # *PortableApps Application Observed* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/03 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | N/A | N/A | N/A | 17 | 18 | #### Description 19 | 20 | This query returns events where a PortableApps application (.paf.exe extension) was observed. 21 | 22 | "Portable Apps", typically associated with PortableApps.com are "self contained" applications that are installed within an arbitrary folder by an installer. It allows you to download and use applications without having to install them, and that can be basically "live" within the folder they are "installed" in, without interfacing with the Windows Registry or else. Everything they need to work: configuration, settings, files, etc. are in their "installation" folder. 23 | 24 | In a certain way, you can see portable apps as a way to "bypass" installation restrictions, since you can "install" an application in a folder of your choosing, and it would not be subject to certain restrictions that are in place, such as GPOs that are acting/enforcing certain Registry Keys. 25 | 26 | Threat actors have been observed using portable apps (.paf.exe) in certain attacks, though it does not seem to be that popular. Even I can probably only count on one hand the number of ransomware-related IRs where I've seen such apps being used. Even though at least one of these fingers would be used for a ransomware engagement in 2025. 27 | 28 | In Defender for Endpoint (MDE), you can look for portable apps through their distinctive ".paf.exe" extension (which is just an .exe, with a .paf appended in the filename) and/or the files being downloaded from PortableApps.com. 29 | 30 | PS: If while you're hunting for these, you find a user using a portable version of a Web Browser, in a corporate setting, you may want to ask them what they are trying to achieve. 31 | 32 | #### Author 33 | - **Name:** SecurityAura 34 | - **Github:** https://github.com/SecurityAura 35 | - **Twitter:** https://x.com/SecurityAura 36 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 37 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 38 | - **LinkedIn:** Coming Soon! 39 | - **Website:** https://medium.com/@securityaura 40 | 41 | ### Queries Overview ### 42 | 43 | - Defender for Endpoint (MDE) - 2 queries 44 | 45 | ## Microsoft Defender XDR ## 46 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 47 | ```KQL 48 | DeviceFileEvents 49 | | where FileName endswith ".paf.exe" 50 | or FileOriginUrl has "portableapps.com" 51 | or FileOriginReferrerUrl has "portableapps.com" 52 | ``` 53 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 54 | ```KQL 55 | DeviceProcessEvents 56 | | where FileName endswith ".paf.exe" 57 | ``` 58 | ## Microsoft Sentinel ## 59 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 60 | ```KQL 61 | DeviceFileEvents 62 | | where FileName endswith ".paf.exe" 63 | or FileOriginUrl has "portableapps.com" 64 | or FileOriginReferrerUrl has "portableapps.com" 65 | ``` 66 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 67 | ```KQL 68 | DeviceProcessEvents 69 | | where FileName endswith ".paf.exe" 70 | ``` 71 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 86 - Summarized Processes Launched by PowerShell or Command Line Scripts.md: -------------------------------------------------------------------------------- 1 | # *Summarized Processes Launched by PowerShell or Command Line Scripts* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/03/29 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ | 17 | | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | https://attack.mitre.org/techniques/T1059/001/ | 18 | 19 | #### Description 20 | 21 | This query returns a summarized view of processes that are launched by PowerShell (powershell.exe, pwsh.exe) and/or command line (cmd.exe) scripts (PS1, BAT, CMD). 22 | 23 | A summarization query that can be used when you're trying to get a good view of which distinct processes/commands have been launched by various PowerShell and/or command line scripts. The query can be adjusted to target specific scripts, e.g.: 24 | 25 | | where ProcessCommandLine has "myscript.ps1" 26 | 27 | Or even a folder which would have a collection of scripts, e.g.: 28 | 29 | | where ProcessCommandLine has @"C:\Scripts\" 30 | 31 | This is mostly for investigation purposes (and possibly Threat Hunting), not fit for detection. Though it could be with a bit of fine-tuning. Which I leave as an exercise to you, or to me, in another #100DaysOfKQL post! 32 | 33 | Came up with this when investigating an incident where a threat actor was making use of BAT scripts to do everything on an endpoint, but they were all running from the same directory. This query allowed me to basically understand what each script was doing and from there, better understand the intent and the impacts. 34 | 35 | #### Author 36 | - **Name:** SecurityAura 37 | - **Github:** https://github.com/SecurityAura 38 | - **Twitter:** https://x.com/SecurityAura 39 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 40 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 41 | - **LinkedIn:** Coming Soon! 42 | - **Website:** https://medium.com/@securityaura 43 | 44 | ### Queries Overview ### 45 | 46 | - Defender for Endpoint (MDE) - 1 query 47 | 48 | ## Microsoft Defender XDR ## 49 | ### Microsoft Defender for Endpoint via ProcessEvents ### 50 | ```KQL 51 | DeviceProcessEvents 52 | | where (InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe") 53 | and ProcessCommandLine has ".ps1") 54 | or (InitiatingProcessFileName =~ "cmd.exe" 55 | and ProcessCommandLine has_any (".bat", ".cmd")) 56 | | summarize ["Commands"]=make_set(ProcessCommandLine), 57 | ["DistinctCommandsCount"]=dcount(ProcessCommandLine) 58 | by InitiatingProcessCommandLine 59 | ``` 60 | ## Microsoft Sentinel ## 61 | ### Microsoft Defender for Endpoint via ProcessEvents ### 62 | ```KQL 63 | DeviceProcessEvents 64 | | where (InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe") 65 | and ProcessCommandLine has ".ps1") 66 | or (InitiatingProcessFileName =~ "cmd.exe" 67 | and ProcessCommandLine has_any (".bat", ".cmd")) 68 | | summarize ["Commands"]=make_set(ProcessCommandLine), 69 | ["DistinctCommandsCount"]=dcount(ProcessCommandLine) 70 | by InitiatingProcessCommandLine 71 | ``` 72 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 90 - Network Connection from MSBuild.exe with ASN Enrichment.md: -------------------------------------------------------------------------------- 1 | # *Network Connection from MSBuild.exe with ASN Enrichment* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/04/02 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1127.001 | Trusted Developer Utilities Proxy Execution: MSBuild | https://attack.mitre.org/techniques/T1127/001/ | 17 | 18 | #### Description 19 | 20 | This query returns events a network connection from MSBuild.exe to a public remote IP is observed and enrich the ASN information on the IP (RemoteIP) involved. 21 | 22 | MSBuild.exe is a popular process in which malware choose to inject themselves and/or threat actors can use to load on a system a payload that is fetched remotely. This will result in network connection from the MSBuild.exe process and with a little bit of filtering and enrichment, suspicious and/or downright malicious instances of it can be spotted. 23 | 24 | #### Author 25 | - **Name:** SecurityAura 26 | - **Github:** https://github.com/SecurityAura 27 | - **Twitter:** https://x.com/SecurityAura 28 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 29 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 30 | - **LinkedIn:** Coming Soon! 31 | - **Website:** https://medium.com/@securityaura 32 | 33 | ### References ### 34 | 35 | - https://www.malwarebytes.com/blog/news/2025/02/sectoprat-bundled-in-chrome-installer-distributed-via-google-ads 36 | - https://www.threatdown.com/blog/bing-ad-for-nordvpn-leads-to-sectoprat/ 37 | - https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ 38 | 39 | ### Queries Overview ### 40 | 41 | - Defender for Endpoint (MDE) - 1 query 42 | 43 | ## Microsoft Defender XDR ## 44 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 45 | ```KQL 46 | let CIDRASN = ( 47 | externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) 48 | ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] 49 | with (ignoreFirstRecord=true) 50 | ); 51 | let MsBuildNetconnIpLookupEvents = (DeviceNetworkEvents 52 | | where InitiatingProcessFileName =~ "msbuild.exe" 53 | | where not (ipv4_is_private( RemoteIP)) 54 | | distinct RemoteIP 55 | | evaluate ipv4_lookup(CIDRASN, RemoteIP, CIDR, return_unmatched=true)); 56 | DeviceNetworkEvents 57 | | where InitiatingProcessFileName =~ "msbuild.exe" 58 | | where not (ipv4_is_private( RemoteIP)) 59 | | join MsBuildNetconnIpLookupEvents on RemoteIP 60 | ``` 61 | ## Microsoft Sentinel ## 62 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 63 | ```KQL 64 | let CIDRASN = ( 65 | externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) 66 | ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] 67 | with (ignoreFirstRecord=true) 68 | ); 69 | let MsBuildNetconnIpLookupEvents = (DeviceNetworkEvents 70 | | where InitiatingProcessFileName =~ "msbuild.exe" 71 | | where not (ipv4_is_private( RemoteIP)) 72 | | distinct RemoteIP 73 | | evaluate ipv4_lookup(CIDRASN, RemoteIP, CIDR, return_unmatched=true)); 74 | DeviceNetworkEvents 75 | | where InitiatingProcessFileName =~ "msbuild.exe" 76 | | where not (ipv4_is_private( RemoteIP)) 77 | | join MsBuildNetconnIpLookupEvents on RemoteIP 78 | ``` 79 | -------------------------------------------------------------------------------- /Defender for Endpoint/Binary With Short-Lived Certificate Launched from Downloads Folder.md: -------------------------------------------------------------------------------- 1 | # *Binary With Short-Lived Certificate Launched from Downloads Folder* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/10/05 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1204.002 | User Execution: Malicious File | https://attack.mitre.org/techniques/T1204/002/ | 16 | 17 | #### Description 18 | 19 | This query looks for the execution of processes within a user's Downloads folder, where the binary is signed with a short-lived certificate (7 days or else). 20 | 21 | The idea for this query comes from a recent OysterLoader/Broomstick campaign using short-lived certificates and masquerading as installers for known/popular software (such as Microsoft Teams). 22 | 23 | This query is probably better suited for hunting, rather than detection. However, you could turn it in a detection by leveraging the GlobalPrevalence value and look for results with a low global prevalence (e.g.: under 100). 24 | 25 | #### Author 26 | - **Name:** SecurityAura 27 | - **Github:** https://github.com/SecurityAura 28 | - **Twitter:** https://x.com/SecurityAura 29 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 30 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 31 | - **LinkedIn:** Coming Soon! 32 | - **Website:** https://medium.com/@securityaura 33 | 34 | ### Reference(s) #### 35 | 36 | - https://x.com/SquiblydooBlog/status/1971575773904740437 37 | - https://conscia.com/blog/from-seo-poisoning-to-malware-deployment-malvertising-campaign-uncovered/ 38 | 39 | ### Queries Overview ### 40 | 41 | - Defender for Endpoint (MDE) - 1 query 42 | 43 | ## Microsoft Defender XDR ## 44 | ### Defender for Endpoint (MDE) via DeviceProcessEvents, DeviceFileCertificateInfo ### 45 | ```KQL 46 | // Adjust the certificate time-span threshold as needed (can be 4 to get certs valid for 3 days for instance) 47 | let CertTimeDifferenceThreshold = 8; 48 | DeviceProcessEvents 49 | | where FolderPath matches regex @"(?i)C\:\\Users\\[^\\]+\\Downloads\\(.*)?" 50 | | distinct DeviceName, FolderPath, SHA1 51 | | join DeviceFileCertificateInfo on DeviceName, SHA1 52 | | where Signer != "Microsoft Corporation" 53 | | extend CertTimeDifference = datetime_diff('day', CertificateExpirationTime, CertificateCreationTime) 54 | | where CertTimeDifference < CertTimeDifferenceThreshold 55 | | invoke FileProfile("SHA1", 1000) 56 | ``` 57 | ## Microsoft Sentinel ## 58 | ### Defender for Endpoint (MDE) via DeviceProcessEvents, DeviceFileCertificateInfo ### 59 | ```KQL 60 | // DISCLAIMER: Since we use FileProfile(), this query does not work in Microsoft Sentinel. However, unless you actually want to use it as a detection (as mentioned above), you don't need to rely on it for hunting purposes. 61 | // Adjust the certificate time-span threshold as needed (can be 4 to get certs valid for 3 days for instance) 62 | let CertTimeDifferenceThreshold = 8; 63 | DeviceProcessEvents 64 | | where FolderPath matches regex @"(?i)C\:\\Users\\[^\\]+\\Downloads\\(.*)?" 65 | | distinct DeviceName, FolderPath, SHA1 66 | | join DeviceFileCertificateInfo on DeviceName, SHA1 67 | | where Signer != "Microsoft Corporation" 68 | | extend CertTimeDifference = datetime_diff('day', CertificateExpirationTime, CertificateCreationTime) 69 | | where CertTimeDifference < CertTimeDifferenceThreshold 70 | ``` 71 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 9 - Low Prevalence DLL Loaded From Process In User Downloads Folder.md: -------------------------------------------------------------------------------- 1 | # *Low Prevalence DLL Loaded From Process In User Downloads Folder* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/09 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1204.002 | User Execution: Malicious File | https://attack.mitre.org/techniques/T1204/002/ | 17 | | T1574.001 | Hijack Execution Flow: DLL | https://attack.mitre.org/techniques/T1574/001/ | 18 | 19 | #### Description 20 | 21 | This query returns events where a DLL with a low prevalence, per Defender XDR FileProfile() was loaded from a user's Downloads folder, by a process in the same folder (or subfolder). This is a detection or hunting query aimed at detecting initial access from malware that uses DLL sideloading for execution. 22 | 23 | The chain of events here is basically a user would go on the Internet, download an archive (e.g.: ZIP) that has multiple files in it: legit EXE, MSI, etc., a few legit DLLs and a malicious one. He extracts the content of the archive where it is right now, often in the Downloads folder, where it was downloaded and then proceeds to execute the EXE, MSI, etc. 24 | 25 | This is what you would see in Nitrogen-related infection. The downside of this query, obviously, is that it only works in Advanced Hunting (Defender XDR console) since it makes use of FileProfile() (https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-fileprofile-function) 26 | 27 | #### Author 28 | - **Name:** SecurityAura 29 | - **Github:** https://github.com/SecurityAura 30 | - **Twitter:** https://x.com/SecurityAura 31 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 32 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 33 | - **LinkedIn:** Coming Soon! 34 | - **Website:** https://medium.com/@securityaura 35 | 36 | #### Reference(s) 37 | 38 | - https://www.threatdown.com/blog/nitrogen-shelling-malware-from-hacked-sites/ 39 | - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ 40 | - https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/ 41 | 42 | ### Queries Overview ### 43 | 44 | - Defender for Endpoint (MDE) - 1 query 45 | 46 | 47 | ## Defender XDR ## 48 | ### Defender for Endpoint (MDE) via DeviceImageLoadEvents ### 49 | ```KQL 50 | let LoadedDLLs = ( 51 | DeviceImageLoadEvents 52 | | where InitiatingProcessFolderPath matches regex @"(?i)\\Users\\[^\\]+\\Downloads\\(.*)?" 53 | | where FolderPath matches regex @"(?i)\\Users\\[^\\]+\\Downloads\\(.*)?" 54 | | where FileName endswith ".dll" 55 | | distinct SHA1 56 | // The FileProfile() has a limit of 1000 lookup/query. 57 | | invoke FileProfile("SHA1",1000) 58 | ); 59 | DeviceImageLoadEvents 60 | | where InitiatingProcessFolderPath matches regex @"(?i)\\Users\\[^\\]+\\Downloads\\(.*)?" 61 | | where FolderPath matches regex @"(?i)\\Users\\[^\\]+\\Downloads\\(.*)?" 62 | | where FileName endswith ".dll" 63 | | join kind=inner LoadedDLLs on SHA1 64 | // You can add a filter on the GlobalPrevalence column if you wish to reduce the number of results, though I suggest to simply order them from lowest to highest and look for the ones with the lowest prevalence 65 | //| where GlobalPrevalence < 500 66 | //| order by GlobalPrevalence asc 67 | ``` 68 | -------------------------------------------------------------------------------- /Defender for Endpoint/Summarization of net.exe use from Batch Script.md: -------------------------------------------------------------------------------- 1 | # *Summarization of net.exe use from Batch Script* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/10/14 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1552.001 | Unsecured Credentials: Credentials in Files | https://attack.mitre.org/techniques/T1552/ | 16 | 17 | #### Description 18 | 19 | This query looks for instances where net.exe, spawned from a batch script, is used to connect a network share with an explicit user (/user:) and from there, break downs by DeviceName, the user, destination (share/folder/etc.) and batch script involved. 20 | 21 | More of a ... audit query if you wish, where users may still be explicitly connecting to shares using clear text credentials in batch script. Hence the TTP used. 22 | 23 | #### Author 24 | - **Name:** SecurityAura 25 | - **Github:** https://github.com/SecurityAura 26 | - **Twitter:** https://x.com/SecurityAura 27 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 28 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 29 | - **LinkedIn:** Coming Soon! 30 | - **Website:** https://medium.com/@securityaura 31 | 32 | ### Queries Overview ### 33 | 34 | - Defender for Endpoint (MDE) - 1 query 35 | 36 | ## Microsoft Defender XDR ## 37 | ### Defender for Endpoint (MDE) via DeviceProcessEvents ### 38 | ```KQL 39 | DeviceProcessEvents 40 | | where FileName =~ "net.exe" 41 | | where InitiatingProcessCommandLine != "\"cmd.exe\" " 42 | | where ProcessCommandLine has_all("use","/user:") 43 | | extend LowerProcessCommandLine = tolower( ProcessCommandLine) 44 | | extend ArgumentUser = extract(@"/user:([^\s]+)", 1, LowerProcessCommandLine) 45 | | extend SanitizedScriptName = trim_end(" \"", InitiatingProcessCommandLine) 46 | | extend ComputerName = extract(@"(?i)\\\\[^\s]+",0,ProcessCommandLine) 47 | | extend ScriptName = tostring(split(SanitizedScriptName," ")[-1]) 48 | | extend UserToShareToScript = tostring(bag_pack("User", ArgumentUser, "Destination", ComputerName, "Script", ScriptName)) 49 | | summarize UserToShareToScriptInstances = make_set(UserToShareToScript), 50 | UserToShareToScriptInstancesCount = dcount(UserToShareToScript) 51 | by DeviceName 52 | | project-reorder DeviceName, UserToShareToScriptInstancesCount, UserToShareToScriptInstances 53 | ``` 54 | ## Microsoft Sentinel ## 55 | ### Defender for Endpoint (MDE) via DeviceProcessEvents ### 56 | ```KQL 57 | DeviceProcessEvents 58 | | where FileName =~ "net.exe" 59 | | where InitiatingProcessCommandLine != "\"cmd.exe\" " 60 | | where ProcessCommandLine has_all("use","/user:") 61 | | extend LowerProcessCommandLine = tolower( ProcessCommandLine) 62 | | extend ArgumentUser = extract(@"/user:([^\s]+)", 1, LowerProcessCommandLine) 63 | | extend SanitizedScriptName = trim_end(" \"", InitiatingProcessCommandLine) 64 | | extend ComputerName = extract(@"(?i)\\\\[^\s]+",0,ProcessCommandLine) 65 | | extend ScriptName = tostring(split(SanitizedScriptName," ")[-1]) 66 | | extend UserToShareToScript = tostring(bag_pack("User", ArgumentUser, "Destination", ComputerName, "Script", ScriptName)) 67 | | summarize UserToShareToScriptInstances = make_set(UserToShareToScript), 68 | UserToShareToScriptInstancesCount = dcount(UserToShareToScript) 69 | by DeviceName 70 | | project-reorder DeviceName, UserToShareToScriptInstancesCount, UserToShareToScriptInstances 71 | ``` 72 | -------------------------------------------------------------------------------- /Defender for Endpoint/Modification to a PowerShell Profile.md: -------------------------------------------------------------------------------- 1 | # *Modification to a PowerShell Profile* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/06/04 | Initial version | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1546.013 | Event Triggered Execution: PowerShell Profile | https://attack.mitre.org/techniques/T1546/013/ | 16 | 17 | #### Description 18 | 19 | This query looks for DeviceFileEvents where a PowerShell profile (.ps1) file (Profile.ps1, Microsoft.PowerShell_profile.ps1) is involved in one of the known (default) location. This query only cover PowerShell classic and PowerShell (new) profile paths. At a user level, PowerShell profiles are usually located in the user's Documents folder. However, with OneDrive redirection of the Documents folder, it would fall under the OneDrive\Documents folder and not your standard $USERNAME\Documents folder. 20 | 21 | https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.5 22 | 23 | Threat Actors can modify/tamper with a PowerShell profile, even create one, in order to execute code whenever PowerShell is launched. This can be used for code execution or even persistence. The code will be executed in the context of the user that launched the process, which can lead to privilege escalation. 24 | 25 | If this query return any hits, you'll want to investigate what process was involved in modifying that file (or even deleting it) and how. 26 | 27 | All the credits for this query idea goes to @Wietze (on Twitter/X) who shared this via his #HuntingTipOfTheDay. 28 | 29 | https://x.com/Wietze/status/1930203495807832545 30 | 31 | #### Author 32 | - **Name:** SecurityAura 33 | - **Github:** https://github.com/SecurityAura 34 | - **Twitter:** https://x.com/SecurityAura 35 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 36 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 37 | - **LinkedIn:** Coming Soon! 38 | - **Website:** https://medium.com/@securityaura 39 | 40 | ### Queries Overview ### 41 | 42 | - Defender for Endpoint (MDE) - 1 query 43 | 44 | ## Defender XDR ## 45 | ### Defender for Endpoint (MDE) via DeviceFileEvents ### 46 | ```KQL 47 | DeviceFileEvents 48 | | where FolderPath matches regex @"(?i):\\Program\ Files\\PowerShell\\7\\(Profile|Microsoft\.PowerShell_profile)\.ps1" 49 | or FolderPath matches regex @"(?i):\\Windows\\System32\\WindowsPowerShell\\v1.0\\(Profile|Microsoft\.PowerShell_profile)\.ps1" 50 | or FolderPath matches regex @"(?i):\\Users\\[^\\]+\\Documents\\PowerShell\\(Profile|Microsoft\.PowerShell_profile)\.ps1" 51 | or FolderPath matches regex @"(?i):\\Users\\[^\\]+\\OneDrive([^\\]+)\\Documents\\PowerShell\\(Profile|Microsoft\.PowerShell_profile)\.ps1" 52 | ``` 53 | ## Microsoft Sentinel ## 54 | ### Defender for Endpoint (MDE) via DeviceFileEvents ### 55 | ```KQL 56 | DeviceFileEvents 57 | | where FolderPath matches regex @"(?i):\\Program\ Files\\PowerShell\\7\\(Profile|Microsoft\.PowerShell_profile)\.ps1" 58 | or FolderPath matches regex @"(?i):\\Windows\\System32\\WindowsPowerShell\\v1.0\\(Profile|Microsoft\.PowerShell_profile)\.ps1" 59 | or FolderPath matches regex @"(?i):\\Users\\[^\\]+\\Documents\\PowerShell\\(Profile|Microsoft\.PowerShell_profile)\.ps1" 60 | or FolderPath matches regex @"(?i):\\Users\\[^\\]+\\OneDrive([^\\]+)\\Documents\\PowerShell\\(Profile|Microsoft\.PowerShell_profile)\.ps1" 61 | ``` 62 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 8 - Silent cmd.exe Execution With Redirected STDERR & STDOUT.md: -------------------------------------------------------------------------------- 1 | # *Silent cmd.exe Execution With Redirected STDERR & STDOUT.md* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/08 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | https://attack.mitre.org/techniques/T1059/003/ | 17 | 18 | #### Description 19 | 20 | A lot of reverse shells and/or C2s will execute commands that are passed to them via cmd.exe. They may also use the following arguments to keep it stealthy: 21 | 22 | - /Q which turns Echo off 23 | - /C which runs the command and then close the window 24 | 25 | Additionally, depending on the tool used, the various outputs of the command may be captured in a file (or pipe) which is then sent over and/or read from the remote host (where the command is being sent). 26 | 27 | - 2>&1 will redirect the stderr to the stdout (https://learn.microsoft.com/en-us/troubleshoot/developer/visualstudio/cpp/language-compilers/redirecting-error-command-prompt) 28 | 29 | This way, you can still get the stderr/stdout. This method of cmd.exe execution is also part of many open-source projects that are (ab)used by threat actors: 30 | 31 | - Impacket - https://github.com/search?q=repo%3Afortra%2Fimpacket%202%3E%261&type=code 32 | - CrackMapExec - https://github.com/search?q=repo%3Abyt3bl33d3r%2FCrackMapExec%202%3E%261&type=code 33 | - NetExec (it's CME successor after all) - https://github.com/search?q=repo%3APennyw0rth%2FNetExec%202%3E%261&type=code 34 | 35 | While not specific to OSTs, it's pretty common to see traces of this when it comes to incidents that lead to data exfiltration, ransomware deployment or even where a threat actor was able to get a foothold in an environment. Which makes it a good candidate for a threat hunting query. Run it, review the results and determine if any of the commands launched that way could be reverse-shell related and/or examine their execution context (e.g.: user, parent process, execution timeframe, etc.). 36 | 37 | #### Author 38 | - **Name:** SecurityAura 39 | - **Github:** https://github.com/SecurityAura 40 | - **Twitter:** https://x.com/SecurityAura 41 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 42 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 43 | - **LinkedIn:** Coming Soon! 44 | - **Website:** https://medium.com/@securityaura 45 | 46 | ### Queries Overview ### 47 | 48 | - Defender for Endpoint (MDE) - 1 query 49 | - Microsoft Sentinel (via SecurityEvent) - 1 query 50 | 51 | ## Defender XDR ## 52 | ### Defender for Endpoint (MDE) via DeviceProcessEvents ### 53 | ```KQL 54 | DeviceProcessEvents 55 | | where FileName =~ "cmd.exe" 56 | | where ProcessCommandLine has_all ("/Q","/C") 57 | | where ProcessCommandLine has_any ("&1","2>&1") 58 | ``` 59 | ## Microsoft Sentinel ## 60 | ### Defender for Endpoint (MDE) via DeviceProcessEvents ### 61 | ```KQL 62 | DeviceProcessEvents 63 | | where FileName =~ "cmd.exe" 64 | | where ProcessCommandLine has_all ("/Q","/C") 65 | | where ProcessCommandLine has_any ("&1","2>&1") 66 | ``` 67 | ### SecurityEvent - Event ID 4688 (Process Creation) ### 68 | ```KQL 69 | SecurityEvent 70 | | where EventID == "4688" 71 | | where Process =~ "cmd.exe" 72 | | where CommandLine has_all ("/Q","/C") 73 | | where CommandLine has_any ("&1","2>&1") 74 | ``` 75 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 33 - Suspicious String in Service Creation ImagePath.md: -------------------------------------------------------------------------------- 1 | # *Suspicious String in Service Creation ImagePath* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/02/02 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1569.002 | System Services: Service Execution | https://attack.mitre.org/techniques/T1569/002/ | 17 | | T1543.003 | Create or Modify System Process: Windows Service | https://attack.mitre.org/techniques/T1543/003/ | 18 | 19 | #### Description 20 | 21 | These queries returns events where a suspicious string, defined in a dynamic property, was found in the ImagePath of a service creation event. 22 | 23 | Another "low-hanging fruit" detection and/or hunting query. A lot of tools allowing for lateral movement and/or remote execution (think Cobalt Strike, Impacket, etc.) will stuff the same "execution template" in the ImagePath of a Windows service they create. May it be calling %COMSPEC% or calling the ImagePath from the ADMIN$ share directly. 24 | 25 | Looking for service creation where these strings are present allows you to detect or uncover such lateral movement and/or remote execution events. 26 | 27 | Luckily for us, some of these patterns already triggers some good detection from Defender for Endpoint (MDE). But, we're looking to get 100% guaranteed alert trigger for these here, or simply hunting for them when they fell through the crack. 28 | 29 | #### Author 30 | - **Name:** SecurityAura 31 | - **Github:** https://github.com/SecurityAura 32 | - **Twitter:** https://x.com/SecurityAura 33 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 34 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 35 | - **LinkedIn:** Coming Soon! 36 | - **Website:** https://medium.com/@securityaura 37 | 38 | ### Reference(s) 39 | 40 | - https://www.crowdstrike.com/en-us/blog/getting-the-bacon-from-cobalt-strike-beacon/ 41 | - https://redcanary.com/threat-detection-report/techniques/windows-admin-shares/ 42 | 43 | ### Queries Overview ### 44 | 45 | - Defender for Endpoint (MDE) - 1 query 46 | - Microsoft Sentinel (SecurityEvents) - 1 query 47 | 48 | ## Microsoft Defender XDR ## 49 | ### Microsoft Defender for Endpoint via DeviceEvents ### 50 | ```KQL 51 | let SuspiciousStrings = dynamic([ 52 | "COMSPEC", 53 | "cmd", 54 | "powershell", 55 | "ADMIN$", 56 | "C$", 57 | "127.0.0.1" 58 | ]); 59 | DeviceEvents 60 | | where ActionType == "ServiceInstalled" 61 | | extend FullPath = strcat(FolderPath,@"\",FileName) 62 | | where FullPath has_any (SuspiciousStrings) 63 | or ProcessCommandLine has_any (SuspiciousStrings) 64 | ``` 65 | ## Microsoft Sentinel ## 66 | ### Microsoft Defender for Endpoint via DeviceEvents ### 67 | ```KQL 68 | let SuspiciousStrings = dynamic([ 69 | "COMSPEC", 70 | "cmd", 71 | "powershell", 72 | "ADMIN$", 73 | "C$", 74 | "127.0.0.1" 75 | ]); 76 | DeviceEvents 77 | | where ActionType == "ServiceInstalled" 78 | | extend FullPath = strcat(FolderPath,@"\",FileName) 79 | | where FullPath has_any (SuspiciousStrings) 80 | or ProcessCommandLine has_any (SuspiciousStrings) 81 | ``` 82 | ### SecurityEvents ### 83 | ```KQL 84 | let SuspiciousStrings = dynamic([ 85 | "COMSPEC", 86 | "cmd", 87 | "powershell", 88 | "ADMIN$", 89 | "C$", 90 | "127.0.0.1" 91 | ]); 92 | SecurityEvent 93 | | where EventID == 4697 94 | | where ServiceFileName has_any (SuspiciousStrings) 95 | ``` 96 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 57 - Non-Sucking Service Manager (nssm) Usage.md: -------------------------------------------------------------------------------- 1 | # *Non-Sucking Service Manager (nssm) Usage* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/02/26 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1569.002 | System Services: Service Execution | https://attack.mitre.org/techniques/T1569/002/ | 17 | | T1543.003 | Create or Modify System Process: Windows Service | https://attack.mitre.org/techniques/T1543/003/ | 18 | 19 | #### Description 20 | 21 | DISCLAIMER: I once again have to put up that query of the day very fast today. I'll come back to it to add more queries to hunt for NSSM. 22 | 23 | This query returns events where the Non-Sucking Service Manager (nssm) application was observed. NSSM is a popular little application (free, the way we like them) that allows you to basically turn anything into a service, may it be a binary, script, command, etc. If you read between the lines of the previous sentence, you'll quickly understand that NSSM can also be abused by threat actors to basically persist in the form of a service. May it be a backdoor, ransomware, BYVOD, etc. 24 | 25 | For instance, threat actors can use NSSM with ngrok (Day 56 query), even though ngrok can be installed as a service by itself, to make sure that the ngrok agent constantly stays up and running and restarted even after reboot, the process gets killed, the process crashes, etc. 26 | 27 | NSSM has also been seen to persisently launch coinminers such as XMRig on compromised systems. 28 | 29 | #### Author 30 | - **Name:** SecurityAura 31 | - **Github:** https://github.com/SecurityAura 32 | - **Twitter:** https://x.com/SecurityAura 33 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 34 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 35 | - **LinkedIn:** Coming Soon! 36 | - **Website:** https://medium.com/@securityaura 37 | 38 | ### References ### 39 | 40 | - https://nssm.cc/ 41 | - https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/ 42 | - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ 43 | 44 | ### Queries Overview ### 45 | 46 | - Defender for Endpoint (MDE) - 3 queries 47 | - Microsoft Sentinel (via SecurityEvent and Event) - 2 queries TO BE ADDED 48 | 49 | ## Microsoft Defender XDR ## 50 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 51 | ```KQL 52 | DeviceProcessEvents 53 | | where FileName =~ "nssm.exe" 54 | or InitiatingProcessFileName =~ "nssm.exe" 55 | ``` 56 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 57 | ```KQL 58 | DeviceFileEvents 59 | | where FileName =~ "nssm.exe" 60 | ``` 61 | ### Microsoft Defender for Endpoint via DeviceEvents ### 62 | ```KQL 63 | DeviceEvents 64 | | where ActionType == "ServiceInstalled" 65 | | where FileName =~ "nssm.exe" 66 | or FolderPath has "nssm" 67 | ``` 68 | ## Microsoft Sentinel ## 69 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 70 | ```KQL 71 | DeviceProcessEvents 72 | | where FileName =~ "nssm.exe" 73 | or InitiatingProcessFileName =~ "nssm.exe" 74 | ``` 75 | ### Microsoft Defender for Endpoint via DeviceFileEvents ### 76 | ```KQL 77 | DeviceFileEvents 78 | | where FileName =~ "nssm.exe" 79 | ``` 80 | ### Microsoft Defender for Endpoint via DeviceEvents ### 81 | ```KQL 82 | DeviceEvents 83 | | where ActionType == "ServiceInstalled" 84 | | where FileName =~ "nssm.exe" 85 | or FolderPath has "nssm" 86 | ``` 87 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 21 - Password of Newly Created User Used Through The CommandLine.md: -------------------------------------------------------------------------------- 1 | # *Password of Newly Created User Used Through The CommandLine* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/21 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | N/A | N/A | N/A | 17 | 18 | #### Description 19 | 20 | This query returns events where the password of a newly created user through "net.exe user" may have been used in a subsequent process creation (through its command line). 21 | 22 | A bit of an experimental query I was thinkering with yesterday. A lot of threat actors will create new accounts using "net.exe user" and may afterwards, use it to launch further command while passing along their credentials (e.g.: PsExec.exe). 23 | 24 | In these kind of situations, you could potentially identify these commands by simply searching for these passwords in the various processes command lines! Side effect of that query? 25 | 26 | - You may spot password reuse, e.g.: multiple users created with the same password 27 | - You may spot weak passwords (e.g.: Password1, Winter2025, etc.) 28 | - Anything fun I haven't thought of yet 29 | 30 | The downside with this query is that it will only work if the most basic, but also the most common, form of the "net.exe user" command is used, like so: 31 | 32 | - net user TestUser #Password1! /add 33 | 34 | This is mostly due to the fact that the various net.exe options aren't position dependent. Which means, this command also works (creates the user): 35 | 36 | - net user /active:yes TestUser /comment:"Hello" #Password1! /add 37 | 38 | So in this query, we're using the parse_command_line() function to break down the ProcessCommandLine column in a dynamic array, where technically, index 3 would hold our password. Your results are also going to be skewed if someone uses the wrong command, such as trying to add a user to a group, using "net.exe user". 39 | 40 | I'll probably go back at some point to try to fix this query, but since it's experimental, it should do the job to get you started/exploring! 41 | 42 | #### Author 43 | - **Name:** SecurityAura 44 | - **Github:** https://github.com/SecurityAura 45 | - **Twitter:** https://x.com/SecurityAura 46 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 47 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 48 | - **LinkedIn:** Coming Soon! 49 | - **Website:** https://medium.com/@securityaura 50 | 51 | ### Queries Overview ### 52 | 53 | - Microsoft Defender for Endpoint (MDE) - 1 query 54 | 55 | ## Microsoft Defender XDR ## 56 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 57 | ```KQL 58 | let Passwords = (DeviceProcessEvents 59 | | where FileName =~ "net.exe" 60 | | where ProcessCommandLine has_all ("user","/add") 61 | | extend ParsedCLI = parse_command_line(ProcessCommandLine, "windows") 62 | | extend Password = tostring(ParsedCLI[3]) 63 | | distinct Password); 64 | DeviceProcessEvents 65 | | where ProcessCommandLine has_any (Passwords) 66 | ``` 67 | ## Microsoft Sentinel ## 68 | ### Microsoft Defender for Endpoint via DeviceProcessEvents ### 69 | ```KQL 70 | let Passwords = (DeviceProcessEvents 71 | | where FileName =~ "net.exe" 72 | | where ProcessCommandLine has_all ("user","/add") 73 | | extend ParsedCLI = parse_command_line(ProcessCommandLine, "windows") 74 | | extend Password = tostring(ParsedCLI[3]) 75 | | distinct Password); 76 | DeviceProcessEvents 77 | | where ProcessCommandLine has_any (Passwords) 78 | ``` 79 | -------------------------------------------------------------------------------- /100DaysOfKQL/Day 27 - Network Connection From Python-related Process.md: -------------------------------------------------------------------------------- 1 | # *Network Connection From Python-related Process* 2 | 3 | ## Query Information 4 | 5 | #### Changelog 6 | 7 | | Date | Comments | 8 | |---|---| 9 | | 2025/01/27 | Initial version (part of #100DaysOfKQL) | 10 | | 2025/05/17 | Added MITRE ATT&CK and Changelog | 11 | 12 | #### MITRE ATT&CK Technique(s) 13 | 14 | | Technique ID | Title | Link | 15 | | --- | --- | --- | 16 | | T1059.006 | Command and Scripting Interpreter: Python | https://attack.mitre.org/techniques/T1059/006/ | 17 | 18 | #### Description 19 | 20 | This query returns events when a network event (e.g.: outbound connection) involving a process associated with Python (from a known list of processes on Windows) is observed. 21 | 22 | This was observed recently in an incident Huntress responded to involving RedCurl (AKA RedWolf), a cyber-espionnage APT: 23 | 24 | https://www.huntress.com/blog/the-hunt-for-redcurl-2 25 | 26 | And I can also say that I've personally observed the same in a RedCurl incident from 2023/2024. Depending on how Python is leveraged in your environment, this would be more of a threat hunting query rather than a detection. 27 | 28 | In the events that Huntress (and myself) observed, an IP address was passed with the rpivot client script. Which means, you can also adjust the query to look only for events where an IP address (per a regex) is present in the command line. 29 | 30 | That kind of technique is also well alive in malware distributed through SEO poisoning and the likes. See the Reference(s) section below. 31 | 32 | #### Author 33 | - **Name:** SecurityAura 34 | - **Github:** https://github.com/SecurityAura 35 | - **Twitter:** https://x.com/SecurityAura 36 | - **BlueSky:** https://bsky.app/profile/securityaura.bsky.social 37 | - **Mastodon (InfoSec.Exchange):** https://infosec.exchange/@SecurityAura 38 | - **LinkedIn:** Coming Soon! 39 | - **Website:** https://medium.com/@securityaura 40 | 41 | ### Reference(s) 42 | 43 | - https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ 44 | - https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif 45 | - https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/ 46 | 47 | ### Queries Overview ### 48 | 49 | - Defender for Endpoint (MDE) - 1 query 50 | 51 | ## Microsoft Defender XDR ## 52 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 53 | ```KQL 54 | let PythonProcesses = dynamic([ 55 | "python.exe", 56 | "pythonw.exe", 57 | "py.exe", 58 | "pyw.exe" 59 | ]); 60 | DeviceNetworkEvents 61 | | where InitiatingProcessFileName in~ (PythonProcesses) 62 | | where RemoteIPType == "Public" 63 | // You can uncomment the line below if you're looking for processes where an IP address is specified in the command line 64 | //| where InitiatingProcessCommandLine matches regex @"(?i)(\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}" 65 | ``` 66 | ## Microsoft Sentinel ## 67 | ### Microsoft Defender for Endpoint via DeviceNetworkEvents ### 68 | ```KQL 69 | let PythonProcesses = dynamic([ 70 | "python.exe", 71 | "pythonw.exe", 72 | "py.exe", 73 | "pyw.exe" 74 | ]); 75 | DeviceNetworkEvents 76 | | where InitiatingProcessFileName in~ (PythonProcesses) 77 | | where RemoteIPType == "Public" 78 | // You can uncomment the line below if you're looking for processes where an IP address is specified in the command line 79 | //| where InitiatingProcessCommandLine matches regex @"(?i)(\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}" 80 | ``` 81 | --------------------------------------------------------------------------------