Microsoft Sentinel
3,763 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 3,763Potential Persistence Via PlistBuddy
Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
Show query
Image endswith "/PlistBuddy" and (CommandLine contains "RunAtLoad" and CommandLine contains "true") and (CommandLine contains "LaunchAgents" or CommandLine contains "LaunchDaemons")
Potential Persistence Via Powershell Search Order Hijacking - Task
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
Show query
ParentImage =~ "C:\\WINDOWS\\System32\\svchost.exe" and (ParentCommandLine contains "-k netsvcs" and ParentCommandLine contains "-s Schedule") and (CommandLine endswith " -windowstyle hidden" or CommandLine endswith " -w hidden" or CommandLine endswith " -ep bypass" or CommandLine endswith " -noni")
Microsoft Sentinel
Converted
KQL
high
Potential Persistence Via Security Descriptors - ScriptBlock
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
Show query
(ScriptBlockText contains "win32_Trustee" and ScriptBlockText contains "win32_Ace" and ScriptBlockText contains ".AccessMask" and ScriptBlockText contains ".AceType" and ScriptBlockText contains ".SetSecurityDescriptor") and (ScriptBlockText contains "\\Lsa\\JD" or ScriptBlockText contains "\\Lsa\\Skew1" or ScriptBlockText contains "\\Lsa\\Data" or ScriptBlockText contains "\\Lsa\\GBG")
Potential Persistence Via Shim Database In Uncommon Location
Detects the installation of a new shim database where the file is located in a non-default location
Show query
(TargetObject contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\" and TargetObject contains "\\DatabasePath") and (not(Details contains ":\\Windows\\AppPatch\\Custom"))
Microsoft Sentinel
Converted
KQL
high
Potential Persistence Via TypedPaths
Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
Show query
TargetObject contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\" and (not((Image in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\SysWOW64\\explorer.exe"))))Potential PowerShell Command Line Obfuscation
Detects the PowerShell command lines with special characters
Show query
(((Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe") or (OriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (CommandLine matches regex "\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+" or CommandLine matches regex "\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{" or CommandLine matches regex "\\^.*\\^.*\\^.*\\^.*\\^" or CommandLine matches regex "`.*`.*`.*`.*`")) and (not((ParentImage =~ "C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe" or (CommandLine contains "new EventSource(\"Microsoft.Windows.Sense.Client.Management\"" or CommandLine contains "public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);"))))
Microsoft Sentinel
Converted
KQL
high
Potential PowerShell Execution Policy Tampering - ProcCreation
Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
Show query
(CommandLine contains "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or CommandLine contains "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy") and (CommandLine contains "Bypass" or CommandLine contains "RemoteSigned" or CommandLine contains "Unrestricted")
Potential PowerShell Execution Via DLL
Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.
This detection assumes that PowerShell commands are passed via the CommandLine.
Show query
((Image endswith "\\InstallUtil.exe" or Image endswith "\\RegAsm.exe" or Image endswith "\\RegSvcs.exe" or Image endswith "\\regsvr32.exe" or Image endswith "\\rundll32.exe") or (OriginalFileName in~ ("InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.EXE", "RUNDLL32.EXE"))) and (CommandLine contains "Default.GetString" or CommandLine contains "DownloadString" or CommandLine contains "FromBase64String" or CommandLine contains "ICM " or CommandLine contains "IEX " or CommandLine contains "Invoke-Command" or CommandLine contains "Invoke-Expression")Potential PowerShell Obfuscation Via Reversed Commands
Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
Show query
(((Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe") or (OriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (CommandLine contains "hctac" or CommandLine contains "kaerb" or CommandLine contains "dnammoc" or CommandLine contains "ekovn" or CommandLine contains "eliFd" or CommandLine contains "rahc" or CommandLine contains "etirw" or CommandLine contains "golon" or CommandLine contains "tninon" or CommandLine contains "eddih" or CommandLine contains "tpircS" or CommandLine contains "ssecorp" or CommandLine contains "llehsrewop" or CommandLine contains "esnopser" or CommandLine contains "daolnwod" or CommandLine contains "tneilCbeW" or CommandLine contains "tneilc" or CommandLine contains "ptth" or CommandLine contains "elifotevas" or CommandLine contains "46esab" or CommandLine contains "htaPpmeTteG" or CommandLine contains "tcejbO" or CommandLine contains "maerts" or CommandLine contains "hcaerof" or CommandLine contains "retupmoc")) and (not((CommandLine contains " -EncodedCommand " or CommandLine contains " -enc ")))Potential PowerShell Obfuscation Via WCHAR/CHAR
Detects suspicious encoded character syntax often used for defense evasion
Show query
CommandLine contains "[char]0x" or CommandLine contains "(WCHAR)0x"
Potential Powershell ReverseShell Connection
Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
Show query
((OriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe")) and (CommandLine contains " Net.Sockets.TCPClient" and CommandLine contains ".GetStream(" and CommandLine contains ".Write(")
Microsoft Sentinel
Converted
KQL
high
Potential Privilege Escalation Attempt Via .Exe.Local Technique
Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
Show query
(TargetFilename startswith "C:\\Windows\\System32\\logonUI.exe.local" or TargetFilename startswith "C:\\Windows\\System32\\werFault.exe.local" or TargetFilename startswith "C:\\Windows\\System32\\consent.exe.local" or TargetFilename startswith "C:\\Windows\\System32\\narrator.exe.local" or TargetFilename startswith "C:\\Windows\\System32\\wermgr.exe.local") and TargetFilename endswith "\\comctl32.dll"
Potential Privilege Escalation To LOCAL SYSTEM
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
Show query
(CommandLine contains " -s cmd" or CommandLine contains " /s cmd" or CommandLine contains " –s cmd" or CommandLine contains " —s cmd" or CommandLine contains " ―s cmd" or CommandLine contains " -s -i cmd" or CommandLine contains " -s /i cmd" or CommandLine contains " -s –i cmd" or CommandLine contains " -s —i cmd" or CommandLine contains " -s ―i cmd" or CommandLine contains " /s -i cmd" or CommandLine contains " /s /i cmd" or CommandLine contains " /s –i cmd" or CommandLine contains " /s —i cmd" or CommandLine contains " /s ―i cmd" or CommandLine contains " –s -i cmd" or CommandLine contains " –s /i cmd" or CommandLine contains " –s –i cmd" or CommandLine contains " –s —i cmd" or CommandLine contains " –s ―i cmd" or CommandLine contains " —s -i cmd" or CommandLine contains " —s /i cmd" or CommandLine contains " —s –i cmd" or CommandLine contains " —s —i cmd" or CommandLine contains " —s ―i cmd" or CommandLine contains " ―s -i cmd" or CommandLine contains " ―s /i cmd" or CommandLine contains " ―s –i cmd" or CommandLine contains " ―s —i cmd" or CommandLine contains " ―s ―i cmd" or CommandLine contains " -i -s cmd" or CommandLine contains " -i /s cmd" or CommandLine contains " -i –s cmd" or CommandLine contains " -i —s cmd" or CommandLine contains " -i ―s cmd" or CommandLine contains " /i -s cmd" or CommandLine contains " /i /s cmd" or CommandLine contains " /i –s cmd" or CommandLine contains " /i —s cmd" or CommandLine contains " /i ―s cmd" or CommandLine contains " –i -s cmd" or CommandLine contains " –i /s cmd" or CommandLine contains " –i –s cmd" or CommandLine contains " –i —s cmd" or CommandLine contains " –i ―s cmd" or CommandLine contains " —i -s cmd" or CommandLine contains " —i /s cmd" or CommandLine contains " —i –s cmd" or CommandLine contains " —i —s cmd" or CommandLine contains " —i ―s cmd" or CommandLine contains " ―i -s cmd" or CommandLine contains " ―i /s cmd" or CommandLine contains " ―i –s cmd" or CommandLine contains " ―i —s cmd" or CommandLine contains " ―i ―s cmd" or CommandLine contains " -s pwsh" or CommandLine contains " /s pwsh" or CommandLine contains " –s pwsh" or CommandLine contains " —s pwsh" or CommandLine contains " ―s pwsh" or CommandLine contains " -s -i pwsh" or CommandLine contains " -s /i pwsh" or CommandLine contains " -s –i pwsh" or CommandLine contains " -s —i pwsh" or CommandLine contains " -s ―i pwsh" or CommandLine contains " /s -i pwsh" or CommandLine contains " /s /i pwsh" or CommandLine contains " /s –i pwsh" or CommandLine contains " /s —i pwsh" or CommandLine contains " /s ―i pwsh" or CommandLine contains " –s -i pwsh" or CommandLine contains " –s /i pwsh" or CommandLine contains " –s –i pwsh" or CommandLine contains " –s —i pwsh" or CommandLine contains " –s ―i pwsh" or CommandLine contains " —s -i pwsh" or CommandLine contains " —s /i pwsh" or CommandLine contains " —s –i pwsh" or CommandLine contains " —s —i pwsh" or CommandLine contains " —s ―i pwsh" or CommandLine contains " ―s -i pwsh" or CommandLine contains " ―s /i pwsh" or CommandLine contains " ―s –i pwsh" or CommandLine contains " ―s —i pwsh" or CommandLine contains " ―s ―i pwsh" or CommandLine contains " -i -s pwsh" or CommandLine contains " -i /s pwsh" or CommandLine contains " -i –s pwsh" or CommandLine contains " -i —s pwsh" or CommandLine contains " -i ―s pwsh" or CommandLine contains " /i -s pwsh" or CommandLine contains " /i /s pwsh" or CommandLine contains " /i –s pwsh" or CommandLine contains " /i —s pwsh" or CommandLine contains " /i ―s pwsh" or CommandLine contains " –i -s pwsh" or CommandLine contains " –i /s pwsh" or CommandLine contains " –i –s pwsh" or CommandLine contains " –i —s pwsh" or CommandLine contains " –i ―s pwsh" or CommandLine contains " —i -s pwsh" or CommandLine contains " —i /s pwsh" or CommandLine contains " —i –s pwsh" or CommandLine contains " —i —s pwsh" or CommandLine contains " —i ―s pwsh" or CommandLine contains " ―i -s pwsh" or CommandLine contains " ―i /s pwsh" or CommandLine contains " ―i –s pwsh" or CommandLine contains " ―i —s pwsh" or CommandLine contains " ―i ―s pwsh" or CommandLine contains " -s powershell" or CommandLine contains " /s powershell" or CommandLine contains " –s powershell" or CommandLine contains " —s powershell" or CommandLine contains " ―s powershell" or CommandLine contains " -s -i powershell" or CommandLine contains " -s /i powershell" or CommandLine contains " -s –i powershell" or CommandLine contains " -s —i powershell" or CommandLine contains " -s ―i powershell" or CommandLine contains " /s -i powershell" or CommandLine contains " /s /i powershell" or CommandLine contains " /s –i powershell" or CommandLine contains " /s —i powershell" or CommandLine contains " /s ―i powershell" or CommandLine contains " –s -i powershell" or CommandLine contains " –s /i powershell" or CommandLine contains " –s –i powershell" or CommandLine contains " –s —i powershell" or CommandLine contains " –s ―i powershell" or CommandLine contains " —s -i powershell" or CommandLine contains " —s /i powershell" or CommandLine contains " —s –i powershell" or CommandLine contains " —s —i powershell" or CommandLine contains " —s ―i powershell" or CommandLine contains " ―s -i powershell" or CommandLine contains " ―s /i powershell" or CommandLine contains " ―s –i powershell" or CommandLine contains " ―s —i powershell" or CommandLine contains " ―s ―i powershell" or CommandLine contains " -i -s powershell" or CommandLine contains " -i /s powershell" or CommandLine contains " -i –s powershell" or CommandLine contains " -i —s powershell" or CommandLine contains " -i ―s powershell" or CommandLine contains " /i -s powershell" or CommandLine contains " /i /s powershell" or CommandLine contains " /i –s powershell" or CommandLine contains " /i —s powershell" or CommandLine contains " /i ―s powershell" or CommandLine contains " –i -s powershell" or CommandLine contains " –i /s powershell" or CommandLine contains " –i –s powershell" or CommandLine contains " –i —s powershell" or CommandLine contains " –i ―s powershell" or CommandLine contains " —i -s powershell" or CommandLine contains " —i /s powershell" or CommandLine contains " —i –s powershell" or CommandLine contains " —i —s powershell" or CommandLine contains " —i ―s powershell" or CommandLine contains " ―i -s powershell" or CommandLine contains " ―i /s powershell" or CommandLine contains " ―i –s powershell" or CommandLine contains " ―i —s powershell" or CommandLine contains " ―i ―s powershell") and (not((CommandLine contains "paexec" or CommandLine contains "PsExec" or CommandLine contains "accepteula")))
Potential Privilege Escalation Using Symlink Between Osk and Cmd
Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
Show query
(Image endswith "\\cmd.exe" or OriginalFileName =~ "Cmd.Exe") and (CommandLine contains "mklink" and CommandLine contains "\\osk.exe" and CommandLine contains "\\cmd.exe")
Potential Privilege Escalation via Local Kerberos Relay over LDAP
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
Show query
(EventID == 4624 and LogonType == 3 and AuthenticationPackageName =~ "Kerberos" and IpAddress =~ "127.0.0.1" and TargetUserSid startswith "S-1-5-21-" and TargetUserSid endswith "-500") and (not(IpPort =~ "0"))
Potential Privilege Escalation via Service Permissions Weakness
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Show query
(IntegrityLevel in~ ("Medium", "S-1-16-8192")) and (CommandLine contains "ControlSet" and CommandLine contains "services") and (CommandLine contains "\\ImagePath" or CommandLine contains "\\FailureCommand" or CommandLine contains "\\ServiceDll")Potential Process Injection Via Msra.EXE
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
Show query
ParentImage endswith "\\msra.exe" and ParentCommandLine endswith "msra.exe" and (Image endswith "\\arp.exe" or Image endswith "\\cmd.exe" or Image endswith "\\net.exe" or Image endswith "\\netstat.exe" or Image endswith "\\nslookup.exe" or Image endswith "\\route.exe" or Image endswith "\\schtasks.exe" or Image endswith "\\whoami.exe")
Potential Provisioning Registry Key Abuse For Binary Proxy Execution
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
Show query
CommandLine contains "SOFTWARE\\Microsoft\\Provisioning\\Commands\\"
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
Show query
TargetObject contains "\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\"
Potential PsExec Remote Execution
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
Show query
(CommandLine contains "accepteula" and CommandLine contains " -u " and CommandLine contains " -p " and CommandLine contains " \\\\") and (not((CommandLine contains "\\\\localhost" or CommandLine contains "\\\\127.")))
Potential Qakbot Registry Activity
Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
Show query
TargetObject endswith "\\Software\\firm\\soft\\Name"
Potential RCE Exploitation Attempt In NodeJS
Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
Show query
"node:child_process"
Potential RDP Tunneling Via Plink
Execution of plink to perform data exfiltration and tunneling
Show query
(Image endswith "\\plink.exe" and CommandLine contains ":127.0.0.1:3389") or ((Image endswith "\\plink.exe" and CommandLine contains ":3389") and (CommandLine contains " -P 443" or CommandLine contains " -P 22"))
Potential RDP Tunneling Via SSH
Execution of ssh.exe to perform data exfiltration and tunneling through RDP
Show query
Image endswith "\\ssh.exe" and CommandLine contains ":3389"
Potential Ransomware Activity Using LegalNotice Message
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
Show query
(TargetObject contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption" or TargetObject contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText") and (Details contains "encrypted" or Details contains "Unlock-Password" or Details contains "paying")
Potential Rcdll.DLL Sideloading
Detects potential DLL sideloading of rcdll.dll
Show query
ImageLoaded endswith "\\rcdll.dll" and (not((ImageLoaded startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or ImageLoaded startswith "C:\\Program Files (x86)\\Windows Kits\\")))
Microsoft Sentinel
Converted
KQL
high
Potential Recon Activity Using DriverQuery.EXE
Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
Show query
(Image endswith "driverquery.exe" or OriginalFileName =~ "drvqry.exe") and ((ParentImage endswith "\\cscript.exe" or ParentImage endswith "\\mshta.exe" or ParentImage endswith "\\regsvr32.exe" or ParentImage endswith "\\rundll32.exe" or ParentImage endswith "\\wscript.exe") or (ParentImage contains "\\AppData\\Local\\" or ParentImage contains "\\Users\\Public\\" or ParentImage contains "\\Windows\\Temp\\"))
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
Detects usage of cmdkey to look for cached credentials on the system
Show query
(Image endswith "\\cmdkey.exe" or OriginalFileName =~ "cmdkey.exe") and (CommandLine contains " -l" or CommandLine contains " /l" or CommandLine contains " –l" or CommandLine contains " —l" or CommandLine contains " ―l")
Potential Registry Persistence Attempt Via Windows Telemetry
Detects potential persistence behavior using the windows telemetry registry key.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
Show query
(TargetObject contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\" and TargetObject endswith "\\Command" and (Details contains ".bat" or Details contains ".bin" or Details contains ".cmd" or Details contains ".dat" or Details contains ".dll" or Details contains ".exe" or Details contains ".hta" or Details contains ".jar" or Details contains ".js" or Details contains ".msi" or Details contains ".ps" or Details contains ".sh" or Details contains ".vb")) and (not((Details contains "\\system32\\CompatTelRunner.exe" or Details contains "\\system32\\DeviceCensus.exe")))
Potential Remote PowerShell Session Initiated
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
This could potentially indicates a remote PowerShell connection.
Show query
((DestinationPort in~ ("5985", "5986")) and Initiated =~ "true" and SourceIsIpv6 =~ "false") and (not((((User contains "NETWORK SERVICE" or User contains "NETZWERKDIENST" or User contains "SERVICIO DE RED" or User contains "SERVIZIO DI RETE") or (User contains "SERVICE R" and User contains "SEAU")) or ((SourceIp in~ ("::1", "127.0.0.1")) and (DestinationIp in~ ("::1", "127.0.0.1")))))) and (not((Image in~ ("C:\\Program Files\\Avast Software\\Avast\\AvastSvc.exe", "C:\\Program Files (x86)\\Avast Software\\Avast\\AvastSvc.exe"))))Potential Remote SquiblyTwo Technique Execution
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
Show query
(Image endswith "\\wmic.exe" or OriginalFileName =~ "wmic.exe" or (Hashes contains "IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E" or Hashes contains "IMPHASH=37777A96245A3C74EB217308F3546F4C" or Hashes contains "IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206" or Hashes contains "IMPHASH=B12619881D79C3ACADF45E752A58554A" or Hashes contains "IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00")) and ((CommandLine contains "-format:" or CommandLine contains "/format:" or CommandLine contains "–format:" or CommandLine contains "—format:" or CommandLine contains "―format:") and (CommandLine contains "://" or CommandLine contains "\\\\"))
Potential RemoteFXvGPUDisablement.EXE Abuse
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Show query
Data contains "ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {"Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Show query
Payload contains "ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {"Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Show query
ScriptBlockText startswith "function Get-VMRemoteFXPhysicalVideoAdapter {"
Microsoft Sentinel
Converted
KQL
high
Potential Renamed Rundll32 Execution
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
Show query
CommandLine contains "DllRegisterServer" and (not(Image endswith "\\rundll32.exe"))
Potential RipZip Attack on Startup Folder
Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
Show query
(TargetFilename contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" and TargetFilename contains ".lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}") and Image endswith "\\explorer.exe"Potential RjvPlatform.DLL Sideloading From Non-Default Location
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
Show query
(ImageLoaded endswith "\\RjvPlatform.dll" and Image =~ "\\SystemResetPlatform.exe") and (not(Image startswith "C:\\Windows\\System32\\SystemResetPlatform\\"))
Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Show query
(Image endswith "\\rundll32.exe" or OriginalFileName =~ "RUNDLL32.EXE") and CommandLine matches regex "[Rr][Uu][Nn][Dd][Ll][Ll]32(?:\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:"
Potential SAM Database Dump
Detects the creation of files that look like exports of the local SAM (Security Account Manager)
Show query
(TargetFilename endswith "\\Temp\\sam" or TargetFilename endswith "\\sam.sav" or TargetFilename endswith "\\Intel\\sam" or TargetFilename endswith "\\sam.hive" or TargetFilename endswith "\\Perflogs\\sam" or TargetFilename endswith "\\ProgramData\\sam" or TargetFilename endswith "\\Users\\Public\\sam" or TargetFilename endswith "\\AppData\\Local\\sam" or TargetFilename endswith "\\AppData\\Roaming\\sam" or TargetFilename endswith "_ShadowSteal.zip" or TargetFilename endswith "\\Documents\\SAM.export" or TargetFilename endswith ":\\sam") or (TargetFilename contains "\\hive_sam_" or TargetFilename contains "\\sam.save" or TargetFilename contains "\\sam.export" or TargetFilename contains "\\~reg_sam.save" or TargetFilename contains "\\sam_backup" or TargetFilename contains "\\sam.bck" or TargetFilename contains "\\sam.backup")
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
Show query
(Image endswith "\\schtasks.exe" or OriginalFileName =~ "schtasks.exe") and ((CommandLine contains " /create " and CommandLine contains "sshd.exe" and CommandLine contains "-f") or (CommandLine contains " /create " and CommandLine contains "ssh.exe" and CommandLine contains "-i"))
Potential Server Side Template Injection In Velocity
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
Show query
"ParseErrorException" or "VelocityException" or "TemplateInitException"
Microsoft Sentinel
Converted
KQL
high
Potential Signing Bypass Via Windows Developer Features
Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
Show query
(Image endswith "\\SystemSettingsAdminFlows.exe" or OriginalFileName =~ "SystemSettingsAdminFlows.EXE") and CommandLine contains "TurnOnDeveloperFeatures" and (CommandLine contains "DeveloperUnlock" or CommandLine contains "EnableSideloading")
Microsoft Sentinel
Converted
KQL
high
Potential Signing Bypass Via Windows Developer Features - Registry
Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
Show query
(TargetObject contains "\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" or TargetObject contains "\\Policies\\Microsoft\\Windows\\Appx\\") and (TargetObject endswith "\\AllowAllTrustedApps" or TargetObject endswith "\\AllowDevelopmentWithoutDevLicense") and Details =~ "DWORD (0x00000001)"
Potential SmadHook.DLL Sideloading
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
Show query
(ImageLoaded endswith "\\SmadHook32c.dll" or ImageLoaded endswith "\\SmadHook64c.dll") and (not(((Image in~ ("C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe")) and (ImageLoaded startswith "C:\\Program Files (x86)\\SMADAV\\" or ImageLoaded startswith "C:\\Program Files\\SMADAV\\"))))Potential SpEL Injection In Spring Framework
Detects potential SpEL Injection exploitation, which may lead to RCE.
Show query
"org.springframework.expression.ExpressionException"
Potential Startup Shortcut Persistence Via PowerShell.EXE
Detects PowerShell writing startup shortcuts.
This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
Show query
(Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe") and TargetFilename contains "\\start menu\\programs\\startup\\" and TargetFilename endswith ".lnk"
Microsoft Sentinel
Converted
KQL
high
Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Show query
"bpf_probe_write_user"
Potential Suspicious Mofcomp Execution
Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Attackers abuse this utility to install malicious MOF scripts
Show query
((Image endswith "\\mofcomp.exe" or OriginalFileName =~ "mofcomp.exe") and ((ParentImage endswith "\\cmd.exe" or ParentImage endswith "\\powershell.exe" or ParentImage endswith "\\pwsh.exe" or ParentImage endswith "\\wsl.exe" or ParentImage endswith "\\wscript.exe" or ParentImage endswith "\\cscript.exe") or (CommandLine contains "\\AppData\\Local\\Temp" or CommandLine contains "\\Users\\Public\\" or CommandLine contains "\\WINDOWS\\Temp\\" or CommandLine contains "%temp%" or CommandLine contains "%tmp%" or CommandLine contains "%appdata%"))) and (not((ParentImage =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and CommandLine contains "C:\\Windows\\TEMP\\" and CommandLine endswith ".mof"))) and (not((CommandLine contains "C:\\Windows\\TEMP\\" and CommandLine endswith ".mof")))
Microsoft Sentinel
Converted
KQL
high
Potential Suspicious Winget Package Installation
Detects potential suspicious winget package installation from a suspicious source.
Show query
Contents startswith "[ZoneTransfer] ZoneId=3" and (Contents contains "://1" or Contents contains "://2" or Contents contains "://3" or Contents contains "://4" or Contents contains "://5" or Contents contains "://6" or Contents contains "://7" or Contents contains "://8" or Contents contains "://9") and TargetFilename endswith ":Zone.Identifier" and TargetFilename contains "\\AppData\\Local\\Temp\\WinGet\\"
Potential SysInternals ProcDump Evasion
Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
Show query
(CommandLine contains "copy procdump" or CommandLine contains "move procdump") or ((CommandLine contains "copy " and CommandLine contains ".dmp ") and (CommandLine contains "2.dmp" or CommandLine contains "lsass" or CommandLine contains "out.dmp")) or (CommandLine contains "copy lsass.exe_" or CommandLine contains "move lsass.exe_")
Showing 801-850 of 3,763