Home/Detection rules/Microsoft Sentinel

Microsoft Sentinel

3,763 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK

Detections

50 shown of 3,763
Microsoft Sentinel Converted KQL high T1574.001 ↗
Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
Show query 
(ImageLoaded endswith "\\aclui.dll" or ImageLoaded endswith "\\activeds.dll" or ImageLoaded endswith "\\adsldpc.dll" or ImageLoaded endswith "\\aepic.dll" or ImageLoaded endswith "\\apphelp.dll" or ImageLoaded endswith "\\applicationframe.dll" or ImageLoaded endswith "\\appvpolicy.dll" or ImageLoaded endswith "\\appxalluserstore.dll" or ImageLoaded endswith "\\appxdeploymentclient.dll" or ImageLoaded endswith "\\archiveint.dll" or ImageLoaded endswith "\\atl.dll" or ImageLoaded endswith "\\audioses.dll" or ImageLoaded endswith "\\auditpolcore.dll" or ImageLoaded endswith "\\authfwcfg.dll" or ImageLoaded endswith "\\authz.dll" or ImageLoaded endswith "\\avrt.dll" or ImageLoaded endswith "\\batmeter.dll" or ImageLoaded endswith "\\bcd.dll" or ImageLoaded endswith "\\bcp47langs.dll" or ImageLoaded endswith "\\bcp47mrm.dll" or ImageLoaded endswith "\\bcrypt.dll" or ImageLoaded endswith "\\bderepair.dll" or ImageLoaded endswith "\\bootmenuux.dll" or ImageLoaded endswith "\\bootux.dll" or ImageLoaded endswith "\\cabinet.dll" or ImageLoaded endswith "\\cabview.dll" or ImageLoaded endswith "\\certcli.dll" or ImageLoaded endswith "\\certenroll.dll" or ImageLoaded endswith "\\cfgmgr32.dll" or ImageLoaded endswith "\\cldapi.dll" or ImageLoaded endswith "\\clipc.dll" or ImageLoaded endswith "\\clusapi.dll" or ImageLoaded endswith "\\cmpbk32.dll" or ImageLoaded endswith "\\cmutil.dll" or ImageLoaded endswith "\\coloradapterclient.dll" or ImageLoaded endswith "\\colorui.dll" or ImageLoaded endswith "\\comdlg32.dll" or ImageLoaded endswith "\\configmanager2.dll" or ImageLoaded endswith "\\connect.dll" or ImageLoaded endswith "\\coredplus.dll" or ImageLoaded endswith "\\coremessaging.dll" or ImageLoaded endswith "\\coreuicomponents.dll" or ImageLoaded endswith "\\credui.dll" or ImageLoaded endswith "\\cryptbase.dll" or ImageLoaded endswith "\\cryptdll.dll" or ImageLoaded endswith "\\cryptsp.dll" or ImageLoaded endswith "\\cryptui.dll" or ImageLoaded endswith "\\cryptxml.dll" or ImageLoaded endswith "\\cscapi.dll" or ImageLoaded endswith "\\cscobj.dll" or ImageLoaded endswith "\\cscui.dll" or ImageLoaded endswith "\\d2d1.dll" or ImageLoaded endswith "\\d3d10_1.dll" or ImageLoaded endswith "\\d3d10_1core.dll" or ImageLoaded endswith "\\d3d10.dll" or ImageLoaded endswith "\\d3d10core.dll" or ImageLoaded endswith "\\d3d10warp.dll" or ImageLoaded endswith "\\d3d11.dll" or ImageLoaded endswith "\\d3d12.dll" or ImageLoaded endswith "\\d3d9.dll" or ImageLoaded endswith "\\d3dx9_43.dll" or ImageLoaded endswith "\\dataexchange.dll" or ImageLoaded endswith "\\davclnt.dll" or ImageLoaded endswith "\\dcntel.dll" or ImageLoaded endswith "\\dcomp.dll" or ImageLoaded endswith "\\defragproxy.dll" or ImageLoaded endswith "\\desktopshellext.dll" or ImageLoaded endswith "\\deviceassociation.dll" or ImageLoaded endswith "\\devicecredential.dll" or ImageLoaded endswith "\\devicepairing.dll" or ImageLoaded endswith "\\devobj.dll" or ImageLoaded endswith "\\devrtl.dll" or ImageLoaded endswith "\\dhcpcmonitor.dll" or ImageLoaded endswith "\\dhcpcsvc.dll" or ImageLoaded endswith "\\dhcpcsvc6.dll" or ImageLoaded endswith "\\directmanipulation.dll" or ImageLoaded endswith "\\dismapi.dll" or ImageLoaded endswith "\\dismcore.dll" or ImageLoaded endswith "\\dmcfgutils.dll" or ImageLoaded endswith "\\dmcmnutils.dll" or ImageLoaded endswith "\\dmcommandlineutils.dll" or ImageLoaded endswith "\\dmenrollengine.dll" or ImageLoaded endswith "\\dmenterprisediagnostics.dll" or ImageLoaded endswith "\\dmiso8601utils.dll" or ImageLoaded endswith "\\dmoleaututils.dll" or ImageLoaded endswith "\\dmprocessxmlfiltered.dll" or ImageLoaded endswith "\\dmpushproxy.dll" or ImageLoaded endswith "\\dmxmlhelputils.dll" or ImageLoaded endswith "\\dnsapi.dll" or ImageLoaded endswith "\\dot3api.dll" or ImageLoaded endswith "\\dot3cfg.dll" or ImageLoaded endswith "\\dpx.dll" or ImageLoaded endswith "\\drprov.dll" or ImageLoaded endswith "\\drvstore.dll" or ImageLoaded endswith "\\dsclient.dll" or ImageLoaded endswith "\\dsparse.dll" or ImageLoaded endswith "\\dsprop.dll" or ImageLoaded endswith "\\dsreg.dll" or ImageLoaded endswith "\\dsrole.dll" or ImageLoaded endswith "\\dui70.dll" or ImageLoaded endswith "\\duser.dll" or ImageLoaded endswith "\\dusmapi.dll" or ImageLoaded endswith "\\dwmapi.dll" or ImageLoaded endswith "\\dwmcore.dll" or ImageLoaded endswith "\\dwrite.dll" or ImageLoaded endswith "\\dxcore.dll" or ImageLoaded endswith "\\dxgi.dll" or ImageLoaded endswith "\\dxva2.dll" or ImageLoaded endswith "\\dynamoapi.dll" or ImageLoaded endswith "\\eappcfg.dll" or ImageLoaded endswith "\\eappprxy.dll" or ImageLoaded endswith "\\edgeiso.dll" or ImageLoaded endswith "\\edputil.dll" or ImageLoaded endswith "\\efsadu.dll" or ImageLoaded endswith "\\efsutil.dll" or ImageLoaded endswith "\\esent.dll" or ImageLoaded endswith "\\execmodelproxy.dll" or ImageLoaded endswith "\\explorerframe.dll" or ImageLoaded endswith "\\fastprox.dll" or ImageLoaded endswith "\\faultrep.dll" or ImageLoaded endswith "\\fddevquery.dll" or ImageLoaded endswith "\\feclient.dll" or ImageLoaded endswith "\\fhcfg.dll" or ImageLoaded endswith "\\fhsvcctl.dll" or ImageLoaded endswith "\\firewallapi.dll" or ImageLoaded endswith "\\flightsettings.dll" or ImageLoaded endswith "\\fltlib.dll" or ImageLoaded endswith "\\framedynos.dll" or ImageLoaded endswith "\\fveapi.dll" or ImageLoaded endswith "\\fveskybackup.dll" or ImageLoaded endswith "\\fvewiz.dll" or ImageLoaded endswith "\\fwbase.dll" or ImageLoaded endswith "\\fwcfg.dll" or ImageLoaded endswith "\\fwpolicyiomgr.dll" or ImageLoaded endswith "\\fwpuclnt.dll" or ImageLoaded endswith "\\fxsapi.dll" or ImageLoaded endswith "\\fxsst.dll" or ImageLoaded endswith "\\fxstiff.dll" or ImageLoaded endswith "\\getuname.dll" or ImageLoaded endswith "\\gpapi.dll" or ImageLoaded endswith "\\hid.dll" or ImageLoaded endswith "\\hnetmon.dll" or ImageLoaded endswith "\\httpapi.dll" or ImageLoaded endswith "\\icmp.dll" or ImageLoaded endswith "\\idstore.dll" or ImageLoaded endswith "\\ieadvpack.dll" or ImageLoaded endswith "\\iedkcs32.dll" or ImageLoaded endswith "\\iernonce.dll" or ImageLoaded endswith "\\iertutil.dll" or ImageLoaded endswith "\\ifmon.dll" or ImageLoaded endswith "\\ifsutil.dll" or ImageLoaded endswith "\\inproclogger.dll" or ImageLoaded endswith "\\iphlpapi.dll" or ImageLoaded endswith "\\iri.dll" or ImageLoaded endswith "\\iscsidsc.dll" or ImageLoaded endswith "\\iscsium.dll" or ImageLoaded endswith "\\isv.exe_rsaenh.dll" or ImageLoaded endswith "\\iumbase.dll" or ImageLoaded endswith "\\iumsdk.dll" or ImageLoaded endswith "\\joinutil.dll" or ImageLoaded endswith "\\kdstub.dll" or ImageLoaded endswith "\\ksuser.dll" or ImageLoaded endswith "\\ktmw32.dll" or ImageLoaded endswith "\\licensemanagerapi.dll" or ImageLoaded endswith "\\licensingdiagspp.dll" or ImageLoaded endswith "\\linkinfo.dll" or ImageLoaded endswith "\\loadperf.dll" or ImageLoaded endswith "\\lockhostingframework.dll" or ImageLoaded endswith "\\logoncli.dll" or ImageLoaded endswith "\\logoncontroller.dll" or ImageLoaded endswith "\\lpksetupproxyserv.dll" or ImageLoaded endswith "\\lrwizdll.dll" or ImageLoaded endswith "\\magnification.dll" or ImageLoaded endswith "\\maintenanceui.dll" or ImageLoaded endswith "\\mapistub.dll" or ImageLoaded endswith "\\mbaexmlparser.dll" or ImageLoaded endswith "\\mdmdiagnostics.dll" or ImageLoaded endswith "\\mfc42u.dll" or ImageLoaded endswith "\\mfcore.dll" or ImageLoaded endswith "\\mfplat.dll" or ImageLoaded endswith "\\mi.dll" or ImageLoaded endswith "\\midimap.dll" or ImageLoaded endswith "\\mintdh.dll" or ImageLoaded endswith "\\miutils.dll" or ImageLoaded endswith "\\mlang.dll" or ImageLoaded endswith "\\mmdevapi.dll" or ImageLoaded endswith "\\mobilenetworking.dll" or ImageLoaded endswith "\\mpr.dll" or ImageLoaded endswith "\\mprapi.dll" or ImageLoaded endswith "\\mrmcorer.dll" or ImageLoaded endswith "\\msacm32.dll" or ImageLoaded endswith "\\mscms.dll" or ImageLoaded endswith "\\mscoree.dll" or ImageLoaded endswith "\\msctf.dll" or ImageLoaded endswith "\\msctfmonitor.dll" or ImageLoaded endswith "\\msdrm.dll" or ImageLoaded endswith "\\msdtctm.dll" or ImageLoaded endswith "\\msftedit.dll" or ImageLoaded endswith "\\msi.dll" or ImageLoaded endswith "\\msiso.dll" or ImageLoaded endswith "\\msutb.dll" or ImageLoaded endswith "\\msvcp110_win.dll" or ImageLoaded endswith "\\mswb7.dll" or ImageLoaded endswith "\\mswsock.dll" or ImageLoaded endswith "\\msxml3.dll" or ImageLoaded endswith "\\mtxclu.dll" or ImageLoaded endswith "\\napinsp.dll" or ImageLoaded endswith "\\ncrypt.dll" or ImageLoaded endswith "\\ndfapi.dll" or ImageLoaded endswith "\\netapi32.dll" or ImageLoaded endswith "\\netid.dll" or ImageLoaded endswith "\\netiohlp.dll" or ImageLoaded endswith "\\netjoin.dll" or ImageLoaded endswith "\\netplwiz.dll" or ImageLoaded endswith "\\netprofm.dll" or ImageLoaded endswith "\\netprovfw.dll" or ImageLoaded endswith "\\netsetupapi.dll" or ImageLoaded endswith "\\netshell.dll" or ImageLoaded endswith "\\nettrace.dll" or ImageLoaded endswith "\\netutils.dll" or ImageLoaded endswith "\\networkexplorer.dll" or ImageLoaded endswith "\\newdev.dll" or ImageLoaded endswith "\\ninput.dll" or ImageLoaded endswith "\\nlaapi.dll" or ImageLoaded endswith "\\nlansp_c.dll" or ImageLoaded endswith "\\npmproxy.dll" or ImageLoaded endswith "\\nshhttp.dll" or ImageLoaded endswith "\\nshipsec.dll" or ImageLoaded endswith "\\nshwfp.dll" or ImageLoaded endswith "\\ntdsapi.dll" or ImageLoaded endswith "\\ntlanman.dll" or ImageLoaded endswith "\\ntlmshared.dll" or ImageLoaded endswith "\\ntmarta.dll" or ImageLoaded endswith "\\ntshrui.dll" or ImageLoaded endswith "\\oleacc.dll" or ImageLoaded endswith "\\omadmapi.dll" or ImageLoaded endswith "\\onex.dll" or ImageLoaded endswith "\\opcservices.dll" or ImageLoaded endswith "\\osbaseln.dll" or ImageLoaded endswith "\\osksupport.dll" or ImageLoaded endswith "\\osuninst.dll" or ImageLoaded endswith "\\p2p.dll" or ImageLoaded endswith "\\p2pnetsh.dll" or ImageLoaded endswith "\\p9np.dll" or ImageLoaded endswith "\\pcaui.dll" or ImageLoaded endswith "\\pdh.dll" or ImageLoaded endswith "\\peerdistsh.dll" or ImageLoaded endswith "\\pkeyhelper.dll" or ImageLoaded endswith "\\pla.dll" or ImageLoaded endswith "\\playsndsrv.dll" or ImageLoaded endswith "\\pnrpnsp.dll" or ImageLoaded endswith "\\policymanager.dll" or ImageLoaded endswith "\\polstore.dll" or ImageLoaded endswith "\\powrprof.dll" or ImageLoaded endswith "\\printui.dll" or ImageLoaded endswith "\\prntvpt.dll" or ImageLoaded endswith "\\profapi.dll" or ImageLoaded endswith "\\propsys.dll" or ImageLoaded endswith "\\proximitycommon.dll" or ImageLoaded endswith "\\proximityservicepal.dll" or ImageLoaded endswith "\\prvdmofcomp.dll" or ImageLoaded endswith "\\puiapi.dll" or ImageLoaded endswith "\\radcui.dll" or ImageLoaded endswith "\\rasapi32.dll" or ImageLoaded endswith "\\rasdlg.dll" or ImageLoaded endswith "\\rasgcw.dll" or ImageLoaded endswith "\\rasman.dll" or ImageLoaded endswith "\\rasmontr.dll" or ImageLoaded endswith "\\reagent.dll" or ImageLoaded endswith "\\regapi.dll" or ImageLoaded endswith "\\reseteng.dll" or ImageLoaded endswith "\\resetengine.dll" or ImageLoaded endswith "\\resutils.dll" or ImageLoaded endswith "\\rmclient.dll" or ImageLoaded endswith "\\rpcnsh.dll" or ImageLoaded endswith "\\rsaenh.dll" or ImageLoaded endswith "\\rtutils.dll" or ImageLoaded endswith "\\rtworkq.dll" or ImageLoaded endswith "\\samcli.dll" or ImageLoaded endswith "\\samlib.dll" or ImageLoaded endswith "\\sapi_onecore.dll" or ImageLoaded endswith "\\sas.dll" or ImageLoaded endswith "\\scansetting.dll" or ImageLoaded endswith "\\scecli.dll" or ImageLoaded endswith "\\schedcli.dll" or ImageLoaded endswith "\\secur32.dll" or ImageLoaded endswith "\\security.dll" or ImageLoaded endswith "\\sensapi.dll" or ImageLoaded endswith "\\shell32.dll" or ImageLoaded endswith "\\shfolder.dll" or ImageLoaded endswith "\\slc.dll" or ImageLoaded endswith "\\snmpapi.dll" or ImageLoaded endswith "\\spectrumsyncclient.dll" or ImageLoaded endswith "\\spp.dll" or ImageLoaded endswith "\\sppc.dll" or ImageLoaded endswith "\\sppcext.dll" or ImageLoaded endswith "\\srclient.dll" or ImageLoaded endswith "\\srcore.dll" or ImageLoaded endswith "\\srmtrace.dll" or ImageLoaded endswith "\\srpapi.dll" or ImageLoaded endswith "\\srvcli.dll" or ImageLoaded endswith "\\ssp_isv.exe_rsaenh.dll" or ImageLoaded endswith "\\ssp.exe_rsaenh.dll" or ImageLoaded endswith "\\sspicli.dll" or ImageLoaded endswith "\\ssshim.dll" or ImageLoaded endswith "\\staterepository.core.dll" or ImageLoaded endswith "\\structuredquery.dll" or ImageLoaded endswith "\\sxshared.dll" or ImageLoaded endswith "\\systemsettingsthresholdadminflowui.dll" or ImageLoaded endswith "\\tapi32.dll" or ImageLoaded endswith "\\tbs.dll" or ImageLoaded endswith "\\tdh.dll" or ImageLoaded endswith "\\textshaping.dll" or ImageLoaded endswith "\\timesync.dll" or ImageLoaded endswith "\\tpmcoreprovisioning.dll" or ImageLoaded endswith "\\tquery.dll" or ImageLoaded endswith "\\tsworkspace.dll" or ImageLoaded endswith "\\ttdrecord.dll" or ImageLoaded endswith "\\twext.dll" or ImageLoaded endswith "\\twinapi.dll" or ImageLoaded endswith "\\twinui.appcore.dll" or ImageLoaded endswith "\\uianimation.dll" or ImageLoaded endswith "\\uiautomationcore.dll" or ImageLoaded endswith "\\uireng.dll" or ImageLoaded endswith "\\uiribbon.dll" or ImageLoaded endswith "\\umpdc.dll" or ImageLoaded endswith "\\unattend.dll" or ImageLoaded endswith "\\updatepolicy.dll" or ImageLoaded endswith "\\upshared.dll" or ImageLoaded endswith "\\urlmon.dll" or ImageLoaded endswith "\\userenv.dll" or ImageLoaded endswith "\\utildll.dll" or ImageLoaded endswith "\\uxinit.dll" or ImageLoaded endswith "\\uxtheme.dll" or ImageLoaded endswith "\\vaultcli.dll" or ImageLoaded endswith "\\vdsutil.dll" or ImageLoaded endswith "\\version.dll" or ImageLoaded endswith "\\virtdisk.dll" or ImageLoaded endswith "\\vssapi.dll" or ImageLoaded endswith "\\vsstrace.dll" or ImageLoaded endswith "\\wbemprox.dll" or ImageLoaded endswith "\\wbemsvc.dll" or ImageLoaded endswith "\\wcmapi.dll" or ImageLoaded endswith "\\wcnnetsh.dll" or ImageLoaded endswith "\\wdi.dll" or ImageLoaded endswith "\\wdscore.dll" or ImageLoaded endswith "\\webservices.dll" or ImageLoaded endswith "\\wecapi.dll" or ImageLoaded endswith "\\wer.dll" or ImageLoaded endswith "\\wevtapi.dll" or ImageLoaded endswith "\\whhelper.dll" or ImageLoaded endswith "\\wimgapi.dll" or ImageLoaded endswith "\\winbio.dll" or ImageLoaded endswith "\\winbrand.dll" or ImageLoaded endswith "\\windows.storage.dll" or ImageLoaded endswith "\\windows.storage.search.dll" or ImageLoaded endswith "\\windows.ui.immersive.dll" or ImageLoaded endswith "\\windowscodecs.dll" or ImageLoaded endswith "\\windowscodecsext.dll" or ImageLoaded endswith "\\windowsudk.shellcommon.dll" or ImageLoaded endswith "\\winhttp.dll" or ImageLoaded endswith "\\wininet.dll" or ImageLoaded endswith "\\winipsec.dll" or ImageLoaded endswith "\\winmde.dll" or ImageLoaded endswith "\\winmm.dll" or ImageLoaded endswith "\\winnsi.dll" or ImageLoaded endswith "\\winrnr.dll" or ImageLoaded endswith "\\winscard.dll" or ImageLoaded endswith "\\winsqlite3.dll" or ImageLoaded endswith "\\winsta.dll" or ImageLoaded endswith "\\winsync.dll" or ImageLoaded endswith "\\wkscli.dll" or ImageLoaded endswith "\\wlanapi.dll" or ImageLoaded endswith "\\wlancfg.dll" or ImageLoaded endswith "\\wldp.dll" or ImageLoaded endswith "\\wlidprov.dll" or ImageLoaded endswith "\\wmiclnt.dll" or ImageLoaded endswith "\\wmidcom.dll" or ImageLoaded endswith "\\wmiutils.dll" or ImageLoaded endswith "\\wmpdui.dll" or ImageLoaded endswith "\\wmsgapi.dll" or ImageLoaded endswith "\\wofutil.dll" or ImageLoaded endswith "\\wpdshext.dll" or ImageLoaded endswith "\\wscapi.dll" or ImageLoaded endswith "\\wsdapi.dll" or ImageLoaded endswith "\\wshbth.dll" or ImageLoaded endswith "\\wshelper.dll" or ImageLoaded endswith "\\wsmsvc.dll" or ImageLoaded endswith "\\wtsapi32.dll" or ImageLoaded endswith "\\wwancfg.dll" or ImageLoaded endswith "\\wwapi.dll" or ImageLoaded endswith "\\xmllite.dll" or ImageLoaded endswith "\\xolehlp.dll" or ImageLoaded endswith "\\xpsservices.dll" or ImageLoaded endswith "\\xwizards.dll" or ImageLoaded endswith "\\xwtpw32.dll" or ImageLoaded endswith "\\amsi.dll" or ImageLoaded endswith "\\appraiser.dll" or ImageLoaded endswith "\\COMRES.DLL" or ImageLoaded endswith "\\cryptnet.dll" or ImageLoaded endswith "\\DispBroker.dll" or ImageLoaded endswith "\\dsound.dll" or ImageLoaded endswith "\\dxilconv.dll" or ImageLoaded endswith "\\FxsCompose.dll" or ImageLoaded endswith "\\FXSRESM.DLL" or ImageLoaded endswith "\\msdtcVSp1res.dll" or ImageLoaded endswith "\\PrintIsolationProxy.dll" or ImageLoaded endswith "\\rdpendp.dll" or ImageLoaded endswith "\\rpchttp.dll" or ImageLoaded endswith "\\storageusage.dll" or ImageLoaded endswith "\\utcutil.dll" or ImageLoaded endswith "\\WfsR.dll" or ImageLoaded endswith "\\igd10iumd64.dll" or ImageLoaded endswith "\\igd12umd64.dll" or ImageLoaded endswith "\\igdumdim64.dll" or ImageLoaded endswith "\\igdusc64.dll" or ImageLoaded endswith "\\TSMSISrv.dll" or ImageLoaded endswith "\\TSVIPSrv.dll" or ImageLoaded endswith "\\wbemcomn.dll" or ImageLoaded endswith "\\WLBSCTRL.dll" or ImageLoaded endswith "\\wow64log.dll" or ImageLoaded endswith "\\WptsExtensions.dll") and (not(((ImageLoaded contains "C:\\$WINDOWS.~BT\\" or ImageLoaded contains "C:\\$WinREAgent\\" or ImageLoaded contains "C:\\Windows\\SoftwareDistribution\\" or ImageLoaded contains "C:\\Windows\\System32\\" or ImageLoaded contains "C:\\Windows\\SystemTemp\\" or ImageLoaded contains "C:\\Windows\\SysWOW64\\" or ImageLoaded contains "C:\\Windows\\WinSxS\\" or ImageLoaded contains "C:\\Windows\\SyChpe32\\") or (ImageLoaded startswith "C:\\Windows\\Temp\\" and (Image startswith "C:\\Windows\\WinSxS\\arm64" or Image startswith "C:\\Windows\\UUS\\arm64\\") and (Image endswith "\\TiWorker.exe" or Image endswith "\\wuaucltcore.exe")) or (ImageLoaded startswith "C:\\Windows\\Microsoft.NET\\" and ImageLoaded endswith "\\cscui.dll") or (ImageLoaded startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and ImageLoaded endswith "\\version.dll") or (ImageLoaded startswith "C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime_" and ImageLoaded endswith "\\d3dx9_43.dll")))) and (not(((ImageLoaded startswith "C:\\Program Files\\Microsoft\\Exchange Server\\" and ImageLoaded endswith "\\mswb7.dll") or (ImageLoaded startswith "C:\\Program Files\\Arsenal-Image-Mounter-" and (ImageLoaded endswith "\\mi.dll" or ImageLoaded endswith "\\miutils.dl")) or (Image =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" and ImageLoaded =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") or ImageLoaded startswith "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or ((Image contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or Image contains "C:\\Windows\\System32\\backgroundTaskHost.exe") and ImageLoaded startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs") or (Image startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and Image endswith "\\wldp.dll") or ((Image startswith "C:\\Program Files\\CheckPoint\\" or Image startswith "C:\\Program Files (x86)\\CheckPoint\\") and Image endswith "\\SmartConsole.exe" and (ImageLoaded startswith "C:\\Program Files\\CheckPoint\\" or ImageLoaded startswith "C:\\Program Files (x86)\\CheckPoint\\") and ImageLoaded endswith "\\PolicyManager.dll"))))
Microsoft Sentinel Converted KQL high T1021.001 ↗
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
Show query 
((Image endswith "\\reg.exe" or OriginalFileName =~ "reg.exe") and (CommandLine contains " add " and CommandLine contains "\\CurrentControlSet\\Control\\Terminal Server" and CommandLine contains "REG_DWORD" and CommandLine contains " /f")) and ((CommandLine contains "Licensing Core" and CommandLine contains "EnableConcurrentSessions") or (CommandLine contains "AllowTSConnections" or CommandLine contains "fDenyTSConnections" or CommandLine contains "fEnableWinStation" or CommandLine contains "fSingleSessionPerUser" or CommandLine contains "IdleWinStationPoolCount" or CommandLine contains "MaxInstanceCount" or CommandLine contains "SecurityLayer" or CommandLine contains "TSAdvertise" or CommandLine contains "TSAppCompat" or CommandLine contains "TSEnabled" or CommandLine contains "TSUserEnabled" or CommandLine contains "WinStations\\RDP-Tcp")) and (not((CommandLine contains "SecurityLayer" and CommandLine contains "02")))
Microsoft Sentinel Converted KQL high T1685 ↗
Potential Tampering With Security Products Via WMIC
Detects uninstallation or termination of security products using the WMIC utility
Show query 
((CommandLine contains "wmic" and CommandLine contains "product where " and CommandLine contains "call" and CommandLine contains "uninstall" and CommandLine contains "/nointeractive") or ((CommandLine contains "wmic" and CommandLine contains "caption like ") and (CommandLine contains "call delete" or CommandLine contains "call terminate")) or (CommandLine contains "process " and CommandLine contains "where " and CommandLine contains "delete")) and (CommandLine contains "%carbon%" or CommandLine contains "%cylance%" or CommandLine contains "%endpoint%" or CommandLine contains "%eset%" or CommandLine contains "%malware%" or CommandLine contains "%Sophos%" or CommandLine contains "%symantec%" or CommandLine contains "Antivirus" or CommandLine contains "AVG " or CommandLine contains "Carbon Black" or CommandLine contains "CarbonBlack" or CommandLine contains "Cb Defense Sensor 64-bit" or CommandLine contains "Crowdstrike Sensor" or CommandLine contains "Cylance " or CommandLine contains "Dell Threat Defense" or CommandLine contains "DLP Endpoint" or CommandLine contains "Endpoint Detection" or CommandLine contains "Endpoint Protection" or CommandLine contains "Endpoint Security" or CommandLine contains "Endpoint Sensor" or CommandLine contains "ESET File Security" or CommandLine contains "LogRhythm System Monitor Service" or CommandLine contains "Malwarebytes" or CommandLine contains "McAfee Agent" or CommandLine contains "Microsoft Security Client" or CommandLine contains "Sophos Anti-Virus" or CommandLine contains "Sophos AutoUpdate" or CommandLine contains "Sophos Credential Store" or CommandLine contains "Sophos Management Console" or CommandLine contains "Sophos Management Database" or CommandLine contains "Sophos Management Server" or CommandLine contains "Sophos Remote Management System" or CommandLine contains "Sophos Update Manager" or CommandLine contains "Threat Protection" or CommandLine contains "VirusScan" or CommandLine contains "Webroot SecureAnywhere" or CommandLine contains "Windows Defender")
Microsoft Sentinel Converted KQL high T1574.001 ↗
Potential Vcruntime140 DLL Sideloading
Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library. Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc. Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
Show query 
ImageLoaded endswith "\\vcruntime140.dll" and (not(((ImageLoaded startswith "C:\\Windows\\System32\\" or ImageLoaded startswith "C:\\Windows\\SysWOW64\\" or ImageLoaded startswith "C:\\Program Files\\" or ImageLoaded startswith "C:\\Program Files (x86)\\") or (Signed =~ true and SignatureStatus =~ "Valid" and Description =~ "Microsoft® C Runtime Library"))))
Microsoft Sentinel Converted KQL high T1574.001 ↗
Potential Waveedit.DLL Sideloading
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
Show query 
ImageLoaded endswith "\\waveedit.dll" and (not(((Image in~ ("C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe", "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe")) and (ImageLoaded startswith "C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\" or ImageLoaded startswith "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\"))))
Microsoft Sentinel Converted KQL high T1036.003 ↗
Potential WerFault ReflectDebugger Registry Value Abuse
Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
Show query 
TargetObject endswith "\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger"
Microsoft Sentinel Converted KQL high T1106 ↗
Potential WinAPI Calls Via CommandLine
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
Show query 
(CommandLine contains "AddSecurityPackage" or CommandLine contains "AdjustTokenPrivileges" or CommandLine contains "Advapi32" or CommandLine contains "CloseHandle" or CommandLine contains "CreateProcessWithToken" or CommandLine contains "CreatePseudoConsole" or CommandLine contains "CreateRemoteThread" or CommandLine contains "CreateThread" or CommandLine contains "CreateUserThread" or CommandLine contains "DangerousGetHandle" or CommandLine contains "DuplicateTokenEx" or CommandLine contains "EnumerateSecurityPackages" or CommandLine contains "FreeHGlobal" or CommandLine contains "FreeLibrary" or CommandLine contains "GetDelegateForFunctionPointer" or CommandLine contains "GetLogonSessionData" or CommandLine contains "GetModuleHandle" or CommandLine contains "GetProcAddress" or CommandLine contains "GetProcessHandle" or CommandLine contains "GetTokenInformation" or CommandLine contains "ImpersonateLoggedOnUser" or CommandLine contains "kernel32" or CommandLine contains "LoadLibrary" or CommandLine contains "memcpy" or CommandLine contains "MiniDumpWriteDump" or CommandLine contains "ntdll" or CommandLine contains "OpenDesktop" or CommandLine contains "OpenProcess" or CommandLine contains "OpenProcessToken" or CommandLine contains "OpenThreadToken" or CommandLine contains "OpenWindowStation" or CommandLine contains "PtrToString" or CommandLine contains "QueueUserApc" or CommandLine contains "ReadProcessMemory" or CommandLine contains "RevertToSelf" or CommandLine contains "RtlCreateUserThread" or CommandLine contains "secur32" or CommandLine contains "SetThreadToken" or CommandLine contains "VirtualAlloc" or CommandLine contains "VirtualFree" or CommandLine contains "VirtualProtect" or CommandLine contains "WaitForSingleObject" or CommandLine contains "WriteInt32" or CommandLine contains "WriteProcessMemory" or CommandLine contains "ZeroFreeGlobalAllocUnicode") and (not(((Image endswith "\\MpCmdRun.exe" and CommandLine contains "GetLoadLibraryWAddress32") or (ParentImage endswith "\\CompatTelRunner.exe" and (CommandLine contains "FreeHGlobal" or CommandLine contains "PtrToString" or CommandLine contains "kernel32" or CommandLine contains "CloseHandle")))))
Microsoft Sentinel Converted KQL high T1059.001 ↗
Potential WinAPI Calls Via PowerShell Scripts
Detects use of WinAPI functions in PowerShell scripts
Show query 
(ScriptBlockText contains "VirtualAlloc" and ScriptBlockText contains "OpenProcess" and ScriptBlockText contains "WriteProcessMemory" and ScriptBlockText contains "CreateRemoteThread") or (ScriptBlockText contains "OpenProcessToken" and ScriptBlockText contains "LookupPrivilegeValue" and ScriptBlockText contains "AdjustTokenPrivileges") or (ScriptBlockText contains "OpenProcessToken" and ScriptBlockText contains "DuplicateTokenEx" and ScriptBlockText contains "CloseHandle") or (ScriptBlockText contains "WriteProcessMemory" and ScriptBlockText contains "VirtualAlloc" and ScriptBlockText contains "ReadProcessMemory" and ScriptBlockText contains "VirtualFree")
Microsoft Sentinel Converted KQL high T1003.001 ↗
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
Show query 
(Image startswith ":\\Program Files" and Image contains "\\Microsoft Visual Studio\\" and Image endswith "\\dump64.exe") and (OriginalFileName =~ "procdump" or (CommandLine contains " -ma " or CommandLine contains " -mp "))
Microsoft Sentinel Converted KQL high T1047 ↗
Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
Show query 
(OriginalFileName =~ "wmic.exe" or Image endswith "\\WMIC.exe") and CommandLine contains "/Namespace:\\\\root\\Microsoft\\Windows\\Defender"
Microsoft Sentinel Converted KQL high T1027 ↗
Potential Winnti Dropper Activity
Detects files dropped by Winnti as described in RedMimicry Winnti playbook
Show query 
TargetFilename endswith "\\gthread-3.6.dll" or TargetFilename endswith "\\sigcmm-2.4.dll" or TargetFilename endswith "\\Windows\\Temp\\tmp.bat"
Microsoft Sentinel Converted KQL high
Potential WizardUpdate Malware Infection
Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
Show query 
(Image endswith "/sh" and (CommandLine contains "=$(curl " and CommandLine contains "eval")) or (Image endswith "/curl" and CommandLine contains "_intermediate_agent_")
Microsoft Sentinel Converted KQL high T1190 ↗
Potential XXE Exploitation Attempt In JVM Based Application
Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
Show query 
"SAXParseException" or "DOMException"
Microsoft Sentinel Converted KQL high T1574.001 ↗
Potential appverifUI.DLL Sideloading
Detects potential DLL sideloading of "appverifUI.dll"
Show query 
ImageLoaded endswith "\\appverifUI.dll" and (not(((Image in~ ("C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe")) and (ImageLoaded startswith "C:\\Windows\\System32\\" or ImageLoaded startswith "C:\\Windows\\SysWOW64\\" or ImageLoaded startswith "C:\\Windows\\WinSxS\\"))))
Microsoft Sentinel Converted KQL high T1127 ↗
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
Show query 
(Image contains ":\\Windows\\Microsoft.NET\\Framework\\" or Image contains ":\\Windows\\Microsoft.NET\\Framework64\\" or Image contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or Image contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and Image endswith "\\aspnet_compiler.exe" and (CommandLine contains "\\Users\\Public\\" or CommandLine contains "\\AppData\\Local\\Temp\\" or CommandLine contains "\\AppData\\Local\\Roaming\\" or CommandLine contains ":\\Temp\\" or CommandLine contains ":\\Windows\\Temp\\" or CommandLine contains ":\\Windows\\System32\\Tasks\\" or CommandLine contains ":\\Windows\\Tasks\\")
Microsoft Sentinel Converted KQL high
Potentially Suspicious Call To Win32_NTEventlogFile Class
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Show query 
CommandLine contains "Win32_NTEventlogFile" and (CommandLine contains ".BackupEventlog(" or CommandLine contains ".ChangeSecurityPermissions(" or CommandLine contains ".ChangeSecurityPermissionsEx(" or CommandLine contains ".ClearEventLog(" or CommandLine contains ".Delete(" or CommandLine contains ".DeleteEx(" or CommandLine contains ".Rename(" or CommandLine contains ".TakeOwnerShip(" or CommandLine contains ".TakeOwnerShipEx(")
Microsoft Sentinel Converted KQL high T1218.010 ↗
Potentially Suspicious Child Process Of Regsvr32
Detects potentially suspicious child processes of "regsvr32.exe".
Show query 
(ParentImage endswith "\\regsvr32.exe" and (Image endswith "\\calc.exe" or Image endswith "\\cscript.exe" or Image endswith "\\explorer.exe" or Image endswith "\\mshta.exe" or Image endswith "\\net.exe" or Image endswith "\\net1.exe" or Image endswith "\\nltest.exe" or Image endswith "\\notepad.exe" or Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe" or Image endswith "\\reg.exe" or Image endswith "\\schtasks.exe" or Image endswith "\\werfault.exe" or Image endswith "\\wscript.exe")) and (not((Image endswith "\\werfault.exe" and CommandLine contains " -u -p ")))
Microsoft Sentinel Converted KQL high T1202 ↗
Potentially Suspicious Child Processes Spawned by ConHost
Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
Show query 
ParentImage endswith "\\conhost.exe" and ((Image endswith "\\cmd.exe" or Image endswith "\\cscript.exe" or Image endswith "\\mshta.exe" or Image endswith "\\powershell_ise.exe" or Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe" or Image endswith "\\regsvr32.exe" or Image endswith "\\wscript.exe") or (OriginalFileName in~ ("cmd.exe", "cscript.exe", "mshta.exe", "powershell_ise.exe", "powershell.exe", "pwsh.dll", "regsvr32.exe", "wscript.exe")))
Microsoft Sentinel Converted KQL high T1059.001 ↗
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
Show query 
TargetObject contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" and (((Details contains "powershell" or Details contains "pwsh") and (Details contains " -e " or Details contains " -ec " or Details contains " -en " or Details contains " -enc " or Details contains " -enco" or Details contains "ftp" or Details contains "Hidden" or Details contains "http" or Details contains "iex" or Details contains "Invoke-")) or (Details contains "wmic" and (Details contains "shadowcopy" or Details contains "process call create")))
Microsoft Sentinel Converted KQL high T1218.008 ↗
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
Show query 
((Image endswith "\\odbcconf.exe" or OriginalFileName =~ "odbcconf.exe") and CommandLine contains "REGSVR ") and (not(CommandLine contains ".dll"))
Microsoft Sentinel Converted KQL high T1548.002 ↗
Potentially Suspicious Event Viewer Child Process
Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
Show query 
ParentImage endswith "\\eventvwr.exe" and (not((Image endswith ":\\Windows\\System32\\mmc.exe" or Image endswith ":\\Windows\\System32\\WerFault.exe" or Image endswith ":\\Windows\\SysWOW64\\WerFault.exe")))
Microsoft Sentinel Converted KQL high T1059 ↗
Potentially Suspicious Execution From Parent Process In Public Folder
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
Show query 
ParentImage contains ":\\Users\\Public\\" and ((Image endswith "\\bitsadmin.exe" or Image endswith "\\certutil.exe" or Image endswith "\\cmd.exe" or Image endswith "\\cscript.exe" or Image endswith "\\mshta.exe" or Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe" or Image endswith "\\regsvr32.exe" or Image endswith "\\rundll32.exe" or Image endswith "\\wscript.exe") or (CommandLine contains "bitsadmin" or CommandLine contains "certutil" or CommandLine contains "cscript" or CommandLine contains "mshta" or CommandLine contains "powershell" or CommandLine contains "regsvr32" or CommandLine contains "rundll32" or CommandLine contains "wscript"))
Microsoft Sentinel Converted KQL high
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
Show query 
((Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe") or (OriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (CommandLine contains "anonfiles.com" or CommandLine contains "cdn.discordapp.com" or CommandLine contains "ddns.net" or CommandLine contains "dl.dropboxusercontent.com" or CommandLine contains "ghostbin.co" or CommandLine contains "glitch.me" or CommandLine contains "gofile.io" or CommandLine contains "hastebin.com" or CommandLine contains "mediafire.com" or CommandLine contains "mega.nz" or CommandLine contains "onrender.com" or CommandLine contains "pages.dev" or CommandLine contains "paste.ee" or CommandLine contains "pastebin.com" or CommandLine contains "pastebin.pl" or CommandLine contains "pastetext.net" or CommandLine contains "pixeldrain.com" or CommandLine contains "privatlab.com" or CommandLine contains "privatlab.net" or CommandLine contains "send.exploit.in" or CommandLine contains "sendspace.com" or CommandLine contains "storage.googleapis.com" or CommandLine contains "storjshare.io" or CommandLine contains "supabase.co" or CommandLine contains "temp.sh" or CommandLine contains "transfer.sh" or CommandLine contains "trycloudflare.com" or CommandLine contains "ufile.io" or CommandLine contains "w3spaces.com" or CommandLine contains "workers.dev") and (CommandLine contains ".DownloadString(" or CommandLine contains ".DownloadFile(" or CommandLine contains "Invoke-WebRequest " or CommandLine contains "iwr " or CommandLine contains "wget ")
Microsoft Sentinel Converted KQL high
Potentially Suspicious File Download From ZIP TLD
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
Show query 
Contents contains ".zip/" and (TargetFilename contains ".bat:Zone" or TargetFilename contains ".dat:Zone" or TargetFilename contains ".dll:Zone" or TargetFilename contains ".doc:Zone" or TargetFilename contains ".docm:Zone" or TargetFilename contains ".exe:Zone" or TargetFilename contains ".hta:Zone" or TargetFilename contains ".pptm:Zone" or TargetFilename contains ".ps1:Zone" or TargetFilename contains ".rar:Zone" or TargetFilename contains ".rtf:Zone" or TargetFilename contains ".sct:Zone" or TargetFilename contains ".vbe:Zone" or TargetFilename contains ".vbs:Zone" or TargetFilename contains ".ws:Zone" or TargetFilename contains ".wsf:Zone" or TargetFilename contains ".xll:Zone" or TargetFilename contains ".xls:Zone" or TargetFilename contains ".xlsm:Zone" or TargetFilename contains ".zip:Zone")
Microsoft Sentinel Converted KQL high
Potentially Suspicious GoogleUpdate Child Process
Detects potentially suspicious child processes of "GoogleUpdate.exe"
Show query 
ParentImage endswith "\\GoogleUpdate.exe" and (not(((Image contains "\\Google" or (Image endswith "\\setup.exe" or Image endswith "chrome_updater.exe" or Image endswith "chrome_installer.exe")) or isnull(Image))))
Microsoft Sentinel Converted KQL high T1571 ↗
Potentially Suspicious Malware Callback Communication
Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
Show query 
(Initiated =~ "true" and (DestinationPort in~ ("100", "198", "200", "243", "473", "666", "700", "743", "777", "1443", "1515", "1777", "1817", "1904", "1960", "2443", "2448", "3360", "3675", "3939", "4040", "4433", "4438", "4443", "4444", "4455", "5445", "5552", "5649", "6625", "7210", "7777", "8143", "8843", "9631", "9943", "10101", "12102", "12103", "12322", "13145", "13394", "13504", "13505", "13506", "13507", "14102", "14103", "14154", "49180", "65520", "65535"))) and (not((ipv4_is_in_range(DestinationIp, "127.0.0.0/8") or ipv4_is_in_range(DestinationIp, "10.0.0.0/8") or ipv4_is_in_range(DestinationIp, "172.16.0.0/12") or ipv4_is_in_range(DestinationIp, "192.168.0.0/16") or ipv4_is_in_range(DestinationIp, "169.254.0.0/16") or ipv4_is_in_range(DestinationIp, "::1/128") or ipv4_is_in_range(DestinationIp, "fe80::/10") or ipv4_is_in_range(DestinationIp, "fc00::/7")))) and (not((Image startswith "C:\\Program Files\\" or Image startswith "C:\\Program Files (x86)\\")))
Microsoft Sentinel Converted KQL high T1571 ↗
Potentially Suspicious Malware Callback Communication - Linux
Detects programs that connect to known malware callback ports based on threat intelligence reports.
Show query 
(Initiated =~ "true" and (DestinationPort in~ ("888", "999", "2200", "2222", "4000", "4444", "6789", "8531", "50501", "51820"))) and (not((ipv4_is_in_range(DestinationIp, "127.0.0.0/8") or ipv4_is_in_range(DestinationIp, "10.0.0.0/8") or ipv4_is_in_range(DestinationIp, "172.16.0.0/12") or ipv4_is_in_range(DestinationIp, "192.168.0.0/16") or ipv4_is_in_range(DestinationIp, "169.254.0.0/16") or ipv4_is_in_range(DestinationIp, "::1/128") or ipv4_is_in_range(DestinationIp, "fe80::/10") or ipv4_is_in_range(DestinationIp, "fc00::/7"))))
Microsoft Sentinel Converted KQL high T1003 ↗
Potentially Suspicious ODBC Driver Registered
Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
Show query 
TargetObject contains "\\SOFTWARE\\ODBC\\ODBCINST.INI\\" and (TargetObject endswith "\\Driver" or TargetObject endswith "\\Setup") and (Details contains ":\\PerfLogs\\" or Details contains ":\\ProgramData\\" or Details contains ":\\Temp\\" or Details contains ":\\Users\\Public\\" or Details contains ":\\Windows\\Registration\\CRMLog" or Details contains ":\\Windows\\System32\\com\\dmp\\" or Details contains ":\\Windows\\System32\\FxsTmp\\" or Details contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or Details contains ":\\Windows\\System32\\spool\\drivers\\color\\" or Details contains ":\\Windows\\System32\\spool\\PRINTERS\\" or Details contains ":\\Windows\\System32\\spool\\SERVERS\\" or Details contains ":\\Windows\\System32\\Tasks_Migrated\\" or Details contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or Details contains ":\\Windows\\SysWOW64\\com\\dmp\\" or Details contains ":\\Windows\\SysWOW64\\FxsTmp\\" or Details contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or Details contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or Details contains ":\\Windows\\Tasks\\" or Details contains ":\\Windows\\Temp\\" or Details contains ":\\Windows\\Tracing\\" or Details contains "\\AppData\\Local\\Temp\\" or Details contains "\\AppData\\Roaming\\")
Microsoft Sentinel Converted KQL high T1202 ↗
Potentially Suspicious Office Document Executed From Trusted Location
Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
Show query 
((ParentImage endswith "\\explorer.exe" or ParentImage endswith "\\dopus.exe") and ((Image endswith "\\EXCEL.EXE" or Image endswith "\\POWERPNT.EXE" or Image endswith "\\WINWORD.exe") or (OriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe"))) and (CommandLine contains "\\AppData\\Roaming\\Microsoft\\Templates" or CommandLine contains "\\AppData\\Roaming\\Microsoft\\Word\\Startup\\" or CommandLine contains "\\Microsoft Office\\root\\Templates\\" or CommandLine contains "\\Microsoft Office\\Templates\\")) and (not((CommandLine endswith ".dotx" or CommandLine endswith ".xltx" or CommandLine endswith ".potx")))
Microsoft Sentinel Converted KQL high T1218.010 ↗
Potentially Suspicious Regsvr32 HTTP IP Pattern
Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
Show query 
(Image endswith "\\regsvr32.exe" or OriginalFileName =~ "REGSVR32.EXE") and (CommandLine contains " /i:http://1" or CommandLine contains " /i:http://2" or CommandLine contains " /i:http://3" or CommandLine contains " /i:http://4" or CommandLine contains " /i:http://5" or CommandLine contains " /i:http://6" or CommandLine contains " /i:http://7" or CommandLine contains " /i:http://8" or CommandLine contains " /i:http://9" or CommandLine contains " /i:https://1" or CommandLine contains " /i:https://2" or CommandLine contains " /i:https://3" or CommandLine contains " /i:https://4" or CommandLine contains " /i:https://5" or CommandLine contains " /i:https://6" or CommandLine contains " /i:https://7" or CommandLine contains " /i:https://8" or CommandLine contains " /i:https://9" or CommandLine contains " -i:http://1" or CommandLine contains " -i:http://2" or CommandLine contains " -i:http://3" or CommandLine contains " -i:http://4" or CommandLine contains " -i:http://5" or CommandLine contains " -i:http://6" or CommandLine contains " -i:http://7" or CommandLine contains " -i:http://8" or CommandLine contains " -i:http://9" or CommandLine contains " -i:https://1" or CommandLine contains " -i:https://2" or CommandLine contains " -i:https://3" or CommandLine contains " -i:https://4" or CommandLine contains " -i:https://5" or CommandLine contains " -i:https://6" or CommandLine contains " -i:https://7" or CommandLine contains " -i:https://8" or CommandLine contains " -i:https://9")
Microsoft Sentinel Converted KQL high T1059.001 ↗
PowerShell ADRecon Execution
Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
Show query 
ScriptBlockText contains "Function Get-ADRExcelComOb" or ScriptBlockText contains "Get-ADRGPO" or ScriptBlockText contains "Get-ADRDomainController" or ScriptBlockText contains "ADRecon-Report.xlsx"
Microsoft Sentinel Converted KQL high T1059.001 ↗
PowerShell Base64 Encoded FromBase64String Cmdlet
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
Show query 
CommandLine contains "OjpGcm9tQmFzZTY0U3RyaW5n" or CommandLine contains "o6RnJvbUJhc2U2NFN0cmluZ" or CommandLine contains "6OkZyb21CYXNlNjRTdHJpbm" or (CommandLine contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or CommandLine contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or CommandLine contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw")
Microsoft Sentinel Converted KQL high T1059.001 ↗
PowerShell Base64 Encoded IEX Cmdlet
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
Show query 
(CommandLine contains "SUVYIChb" or CommandLine contains "lFWCAoW" or CommandLine contains "JRVggKF" or CommandLine contains "aWV4IChb" or CommandLine contains "lleCAoW" or CommandLine contains "pZXggKF" or CommandLine contains "aWV4IChOZX" or CommandLine contains "lleCAoTmV3" or CommandLine contains "pZXggKE5ld" or CommandLine contains "SUVYIChOZX" or CommandLine contains "lFWCAoTmV3" or CommandLine contains "JRVggKE5ld" or CommandLine contains "SUVYKF" or CommandLine contains "lFWChb" or CommandLine contains "JRVgoW" or CommandLine contains "aWV4KF" or CommandLine contains "lleChb" or CommandLine contains "pZXgoW" or CommandLine contains "aWV4KE5ld" or CommandLine contains "lleChOZX" or CommandLine contains "pZXgoTmV3" or CommandLine contains "SUVYKE5ld" or CommandLine contains "lFWChOZX" or CommandLine contains "JRVgoTmV3" or CommandLine contains "SUVYKCgn" or CommandLine contains "lFWCgoJ" or CommandLine contains "JRVgoKC" or CommandLine contains "aWV4KCgn" or CommandLine contains "lleCgoJ" or CommandLine contains "pZXgoKC") or (CommandLine contains "SQBFAFgAIAAoAFsA" or CommandLine contains "kARQBYACAAKABbA" or CommandLine contains "JAEUAWAAgACgAWw" or CommandLine contains "aQBlAHgAIAAoAFsA" or CommandLine contains "kAZQB4ACAAKABbA" or CommandLine contains "pAGUAeAAgACgAWw" or CommandLine contains "aQBlAHgAIAAoAE4AZQB3A" or CommandLine contains "kAZQB4ACAAKABOAGUAdw" or CommandLine contains "pAGUAeAAgACgATgBlAHcA" or CommandLine contains "SQBFAFgAIAAoAE4AZQB3A" or CommandLine contains "kARQBYACAAKABOAGUAdw" or CommandLine contains "JAEUAWAAgACgATgBlAHcA")
Microsoft Sentinel Converted KQL high T1027 ↗
PowerShell Base64 Encoded Invoke Keyword
Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
Show query 
((Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe") or (OriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and CommandLine contains " -e" and (CommandLine contains "SQBuAHYAbwBrAGUALQ" or CommandLine contains "kAbgB2AG8AawBlAC0A" or CommandLine contains "JAG4AdgBvAGsAZQAtA" or CommandLine contains "SW52b2tlL" or CommandLine contains "ludm9rZS" or CommandLine contains "JbnZva2Ut")
Microsoft Sentinel Converted KQL high T1027 ↗
PowerShell Base64 Encoded Reflective Assembly Load
Detects base64 encoded .NET reflective loading of Assembly
Show query 
CommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or CommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or CommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or CommandLine contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or CommandLine contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or CommandLine contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or CommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or CommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or CommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or CommandLine contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or CommandLine contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or CommandLine contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA"
Microsoft Sentinel Converted KQL high T1027 ↗
PowerShell Base64 Encoded WMI Classes
Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
Show query 
((Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe") or (OriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and ((CommandLine contains "VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ" or CommandLine contains "cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA" or CommandLine contains "XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A" or CommandLine contains "V2luMzJfU2hhZG93Y29we" or CommandLine contains "dpbjMyX1NoYWRvd2NvcH" or CommandLine contains "XaW4zMl9TaGFkb3djb3B5") or (CommandLine contains "VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA" or CommandLine contains "cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA" or CommandLine contains "XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg" or CommandLine contains "V2luMzJfU2NoZWR1bGVkSm9i" or CommandLine contains "dpbjMyX1NjaGVkdWxlZEpvY" or CommandLine contains "XaW4zMl9TY2hlZHVsZWRKb2") or (CommandLine contains "VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw" or CommandLine contains "cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA" or CommandLine contains "XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA" or CommandLine contains "V2luMzJfUHJvY2Vzc" or CommandLine contains "dpbjMyX1Byb2Nlc3" or CommandLine contains "XaW4zMl9Qcm9jZXNz") or (CommandLine contains "VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A" or CommandLine contains "cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA" or CommandLine contains "XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA" or CommandLine contains "V2luMzJfVXNlckFjY291bn" or CommandLine contains "dpbjMyX1VzZXJBY2NvdW50" or CommandLine contains "XaW4zMl9Vc2VyQWNjb3Vud") or (CommandLine contains "VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA" or CommandLine contains "cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA" or CommandLine contains "XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg" or CommandLine contains "V2luMzJfTG9nZ2VkT25Vc2Vy" or CommandLine contains "dpbjMyX0xvZ2dlZE9uVXNlc" or CommandLine contains "XaW4zMl9Mb2dnZWRPblVzZX"))
Microsoft Sentinel Converted KQL high T1059.001 ↗
PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
Show query 
(Data contains "EngineVersion=2." or Data contains "EngineVersion=4." or Data contains "EngineVersion=5.") and Data contains "HostVersion=3."
Microsoft Sentinel Converted KQL high T1059.001 ↗
PowerShell Credential Prompt
Detects PowerShell calling a credential prompt
Show query 
ScriptBlockText contains "PromptForCredential"
Microsoft Sentinel Converted KQL high T1685 ↗
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.
Show query 
CommandLine contains "Set-MpPreference" and (CommandLine contains "-LowThreatDefaultAction" or CommandLine contains "-ModerateThreatDefaultAction" or CommandLine contains "-HighThreatDefaultAction" or CommandLine contains "-SevereThreatDefaultAction" or CommandLine contains "-ltdefac " or CommandLine contains "-mtdefac " or CommandLine contains "-htdefac " or CommandLine contains "-stdefac ") and (CommandLine contains "Allow" or CommandLine contains "6" or CommandLine contains "NoAction" or CommandLine contains "9")
Microsoft Sentinel Converted KQL high T1059 ↗
PowerShell Download and Execution Cradles
Detects PowerShell download and execution cradles.
Show query 
(CommandLine contains ".DownloadString(" or CommandLine contains ".DownloadFile(" or CommandLine contains "Invoke-WebRequest " or CommandLine contains "iwr " or CommandLine contains "Invoke-RestMethod " or CommandLine contains "irm ") and (CommandLine contains ";iex $" or CommandLine contains "| IEX" or CommandLine contains "|IEX " or CommandLine contains "I`E`X" or CommandLine contains "I`EX" or CommandLine contains "IE`X" or CommandLine contains "iex " or CommandLine contains "IEX (" or CommandLine contains "IEX(" or CommandLine contains "Invoke-Expression")
Microsoft Sentinel Converted KQL high
PowerShell Execution With Potential Decryption Capabilities
Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
Show query 
((Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe") and (OriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (CommandLine contains "Get-ChildItem " or CommandLine contains "dir " or CommandLine contains "gci " or CommandLine contains "ls ") and (CommandLine contains "Get-Content " or CommandLine contains "gc " or CommandLine contains "cat " or CommandLine contains "type " or CommandLine contains "ReadAllBytes") and ((CommandLine contains " ^| " and CommandLine contains "*.lnk" and CommandLine contains "-Recurse" and CommandLine contains "-Skip ") or (CommandLine contains " -ExpandProperty " and CommandLine contains "*.lnk" and CommandLine contains "WriteAllBytes" and CommandLine contains " .length "))
Microsoft Sentinel Converted KQL high T1552.004 ↗
PowerShell Get-Process LSASS
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
Show query 
CommandLine contains "Get-Process lsas" or CommandLine contains "ps lsas" or CommandLine contains "gps lsas"
Microsoft Sentinel Converted KQL high T1003.001 ↗
PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Show query 
ScriptBlockText contains "Get-Process lsass"
Microsoft Sentinel Converted KQL high T1112 ↗
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
Show query 
(TargetObject contains "\\Microsoft\\Windows\\PowerShell\\" or TargetObject contains "\\Microsoft\\PowerShellCore\\") and (TargetObject endswith "\\ModuleLogging\\EnableModuleLogging" or TargetObject endswith "\\ScriptBlockLogging\\EnableScriptBlockLogging" or TargetObject endswith "\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging" or TargetObject endswith "\\Transcription\\EnableTranscripting" or TargetObject endswith "\\Transcription\\EnableInvocationHeader" or TargetObject endswith "\\EnableScripts") and Details =~ "DWORD (0x00000000)"
Microsoft Sentinel Converted KQL high T1059.001 ↗
PowerShell PSAttack
Detects the use of PSAttack PowerShell hack tool
Show query 
ScriptBlockText contains "PS ATTACK!!!"
Microsoft Sentinel Converted KQL high T1003.002 ↗
PowerShell SAM Copy
Detects suspicious PowerShell scripts accessing SAM hives
Show query 
(CommandLine contains "\\HarddiskVolumeShadowCopy" and CommandLine contains "System32\\config\\sam") and (CommandLine contains "Copy-Item" or CommandLine contains "cp $_." or CommandLine contains "cpi $_." or CommandLine contains "copy $_." or CommandLine contains ".File]::Copy(")
Microsoft Sentinel Converted KQL high
PowerShell Script Change Permission Via Set-Acl
Detects PowerShell execution to set the ACL of a file or a folder
Show query 
((OriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe")) and (CommandLine contains "Set-Acl " and CommandLine contains "-AclObject " and CommandLine contains "-Path ")
Microsoft Sentinel Converted KQL high T1569.002 ↗
PowerShell Scripts Installed as Services
Detects powershell script installed as a Service
Show query 
Provider_Name =~ "Service Control Manager" and EventID == 7045 and (ImagePath contains "powershell" or ImagePath contains "pwsh")
Microsoft Sentinel Converted KQL high T1569.002 ↗
PowerShell Scripts Installed as Services - Security
Detects powershell script installed as a Service
Show query 
EventID == 4697 and (ServiceFileName contains "powershell" or ServiceFileName contains "pwsh")
Microsoft Sentinel Converted KQL high
PowerShell Set-Acl On Windows Folder
Detects PowerShell scripts to set the ACL to a file in the Windows folder
Show query 
((OriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe")) and (CommandLine contains "Set-Acl " and CommandLine contains "-AclObject ") and (CommandLine contains "-Path \"C:\\Windows" or CommandLine contains "-Path 'C:\\Windows" or CommandLine contains "-Path %windir%" or CommandLine contains "-Path $env:windir") and (CommandLine contains "FullControl" or CommandLine contains "Allow")
Showing 851-900 of 3,763
Prev 18 Next
SOC and Response
Detection Engineering
Threat Hunting
Red Team and Pentest
Compliance and GRC
About
threatengine.sh