Home/Detection rules/Microsoft Sentinel

Microsoft Sentinel

3,763 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK

Detections

50 shown of 3,763
Microsoft Sentinel Converted KQL high T1222 ↗
PowerShell Set-Acl On Windows Folder - PsScript
Detects PowerShell scripts to set the ACL to a file in the Windows folder
Show query 
(ScriptBlockText contains "Set-Acl " and ScriptBlockText contains "-AclObject ") and (ScriptBlockText contains "-Path \"C:\\Windows" or ScriptBlockText contains "-Path \"C:/Windows" or ScriptBlockText contains "-Path 'C:\\Windows" or ScriptBlockText contains "-Path 'C:/Windows" or ScriptBlockText contains "-Path C:\\Windows" or ScriptBlockText contains "-Path C:/Windows" or ScriptBlockText contains "-Path $env:windir" or ScriptBlockText contains "-Path \"$env:windir" or ScriptBlockText contains "-Path '$env:windir") and (ScriptBlockText contains "FullControl" or ScriptBlockText contains "Allow")
Microsoft Sentinel Converted KQL high T1055 ↗
PowerShell ShellCode
Detects Base64 encoded Shellcode
Show query 
ScriptBlockText contains "OiCAAAAYInlM" or ScriptBlockText contains "OiJAAAAYInlM"
Microsoft Sentinel Converted KQL high T1548.002 ↗
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
Show query 
(Image endswith "\\dism.exe" or OriginalFileName =~ "DISM.EXE") and (CommandLine contains "WindowsPowerShellWebAccess" and CommandLine contains "/online" and CommandLine contains "/enable-feature")
Microsoft Sentinel Converted KQL high T1059.001 ↗
PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
Show query 
ScriptBlockText contains "Install-WindowsFeature WindowsPowerShellWebAccess" or ScriptBlockText contains "Install-PswaWebApplication" or (ScriptBlockText contains "Add-PswaAuthorizationRule" and ScriptBlockText contains "-UserName " and ScriptBlockText contains "-ComputerName ")
Microsoft Sentinel Converted KQL high T1569.002 ↗
PowerShell as a Service in Registry
Detects that a powershell code is written to the registry as a service.
Show query 
TargetObject contains "\\Services\\" and TargetObject endswith "\\ImagePath" and (Details contains "powershell" or Details contains "pwsh")
Microsoft Sentinel Converted KQL high T1059.001 ↗
PowerView PowerShell Cmdlets - ScriptBlock
Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
Show query 
ScriptBlockText contains "Export-PowerViewCSV" or ScriptBlockText contains "Find-DomainLocalGroupMember" or ScriptBlockText contains "Find-DomainObjectPropertyOutlier" or ScriptBlockText contains "Find-DomainProcess" or ScriptBlockText contains "Find-DomainShare" or ScriptBlockText contains "Find-DomainUserEvent" or ScriptBlockText contains "Find-DomainUserLocation" or ScriptBlockText contains "Find-ForeignGroup" or ScriptBlockText contains "Find-ForeignUser" or ScriptBlockText contains "Find-GPOComputerAdmin" or ScriptBlockText contains "Find-GPOLocation" or ScriptBlockText contains "Find-InterestingDomain" or ScriptBlockText contains "Find-InterestingFile" or ScriptBlockText contains "Find-LocalAdminAccess" or ScriptBlockText contains "Find-ManagedSecurityGroups" or ScriptBlockText contains "Get-CachedRDPConnection" or ScriptBlockText contains "Get-DFSshare" or ScriptBlockText contains "Get-DomainDFSShare" or ScriptBlockText contains "Get-DomainDNSRecord" or ScriptBlockText contains "Get-DomainDNSZone" or ScriptBlockText contains "Get-DomainFileServer" or ScriptBlockText contains "Get-DomainGPOComputerLocalGroupMapping" or ScriptBlockText contains "Get-DomainGPOLocalGroup" or ScriptBlockText contains "Get-DomainGPOUserLocalGroupMapping" or ScriptBlockText contains "Get-LastLoggedOn" or ScriptBlockText contains "Get-LoggedOnLocal" or ScriptBlockText contains "Get-NetFileServer" or ScriptBlockText contains "Get-NetForest" or ScriptBlockText contains "Get-NetGPOGroup" or ScriptBlockText contains "Get-NetProcess" or ScriptBlockText contains "Get-NetRDPSession" or ScriptBlockText contains "Get-RegistryMountedDrive" or ScriptBlockText contains "Get-RegLoggedOn" or ScriptBlockText contains "Get-WMIRegCachedRDPConnection" or ScriptBlockText contains "Get-WMIRegLastLoggedOn" or ScriptBlockText contains "Get-WMIRegMountedDrive" or ScriptBlockText contains "Get-WMIRegProxy" or ScriptBlockText contains "Invoke-ACLScanner" or ScriptBlockText contains "Invoke-CheckLocalAdminAccess" or ScriptBlockText contains "Invoke-EnumerateLocalAdmin" or ScriptBlockText contains "Invoke-EventHunter" or ScriptBlockText contains "Invoke-FileFinder" or ScriptBlockText contains "Invoke-Kerberoast" or ScriptBlockText contains "Invoke-MapDomainTrust" or ScriptBlockText contains "Invoke-ProcessHunter" or ScriptBlockText contains "Invoke-RevertToSelf" or ScriptBlockText contains "Invoke-ShareFinder" or ScriptBlockText contains "Invoke-UserHunter" or ScriptBlockText contains "Invoke-UserImpersonation" or ScriptBlockText contains "Remove-RemoteConnection" or ScriptBlockText contains "Request-SPNTicket" or ScriptBlockText contains "Resolve-IPAddress"
Microsoft Sentinel Converted KQL high T1565 ↗
Powershell Add Name Resolution Policy Table Rule
Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
Show query 
ScriptBlockText contains "Add-DnsClientNrptRule" and ScriptBlockText contains "-Namesp" and ScriptBlockText contains "-NameSe"
Microsoft Sentinel Converted KQL high T1685 ↗
Powershell Base64 Encoded MpPreference Cmdlet
Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
Show query 
(CommandLine contains "QWRkLU1wUHJlZmVyZW5jZS" or CommandLine contains "FkZC1NcFByZWZlcmVuY2Ug" or CommandLine contains "BZGQtTXBQcmVmZXJlbmNlI" or CommandLine contains "U2V0LU1wUHJlZmVyZW5jZS" or CommandLine contains "NldC1NcFByZWZlcmVuY2Ug" or CommandLine contains "TZXQtTXBQcmVmZXJlbmNlI" or CommandLine contains "YWRkLW1wcHJlZmVyZW5jZS" or CommandLine contains "FkZC1tcHByZWZlcmVuY2Ug" or CommandLine contains "hZGQtbXBwcmVmZXJlbmNlI" or CommandLine contains "c2V0LW1wcHJlZmVyZW5jZS" or CommandLine contains "NldC1tcHByZWZlcmVuY2Ug" or CommandLine contains "zZXQtbXBwcmVmZXJlbmNlI") or (CommandLine contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or CommandLine contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or CommandLine contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or CommandLine contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or CommandLine contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or CommandLine contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or CommandLine contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or CommandLine contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or CommandLine contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or CommandLine contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or CommandLine contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or CommandLine contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA")
Microsoft Sentinel Converted KQL high T1048 ↗
Powershell DNSExfiltration
DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
Show query 
ScriptBlockText contains "Invoke-DNSExfiltrator" or (ScriptBlockText contains " -i " and ScriptBlockText contains " -d " and ScriptBlockText contains " -p " and ScriptBlockText contains " -doh " and ScriptBlockText contains " -t ")
Microsoft Sentinel Converted KQL high T1685 ↗
Powershell Defender Disable Scan Feature
Detects requests to disable Microsoft Defender features using PowerShell commands
Show query 
((CommandLine contains "Add-MpPreference " or CommandLine contains "Set-MpPreference ") and (CommandLine contains "DisableArchiveScanning " or CommandLine contains "DisableRealtimeMonitoring " or CommandLine contains "DisableIOAVProtection " or CommandLine contains "DisableBehaviorMonitoring " or CommandLine contains "DisableBlockAtFirstSeen " or CommandLine contains "DisableCatchupFullScan " or CommandLine contains "DisableCatchupQuickScan ") and (CommandLine contains "$true" or CommandLine contains " 1 ")) or ((CommandLine contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or CommandLine contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or CommandLine contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or CommandLine contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or CommandLine contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or CommandLine contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or CommandLine contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or CommandLine contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or CommandLine contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or CommandLine contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or CommandLine contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or CommandLine contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or CommandLine contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or CommandLine contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or CommandLine contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or CommandLine contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or CommandLine contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or CommandLine contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or CommandLine contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or CommandLine contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or CommandLine contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or CommandLine contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or CommandLine contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or CommandLine contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or CommandLine contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or CommandLine contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or CommandLine contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or CommandLine contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or CommandLine contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or CommandLine contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or CommandLine contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or CommandLine contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or CommandLine contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or CommandLine contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or CommandLine contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or CommandLine contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or CommandLine contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or CommandLine contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or CommandLine contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or CommandLine contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or CommandLine contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or CommandLine contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI") or (CommandLine contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or CommandLine contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or CommandLine contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or CommandLine contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or CommandLine contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or CommandLine contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or CommandLine contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or CommandLine contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or CommandLine contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or CommandLine contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or CommandLine contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or CommandLine contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or CommandLine contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or CommandLine contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or CommandLine contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or CommandLine contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or CommandLine contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or CommandLine contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or CommandLine contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or CommandLine contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or CommandLine contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or CommandLine contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or CommandLine contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or CommandLine contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or CommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or CommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or CommandLine contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA"))
Microsoft Sentinel Converted KQL high T1556.002 ↗
Powershell Install a DLL in System Directory
Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
Show query 
ScriptBlockText matches regex "(Copy-Item|cpi) .{2,128} -Destination .{1,32}\\\\Windows\\\\(System32|SysWOW64)"
Microsoft Sentinel Converted KQL high T1027.009 ↗
Powershell Token Obfuscation - Process Creation
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Show query 
(CommandLine matches regex "\\w+`(?:\\w+|-|.)`[\\w+|\\s]" or CommandLine matches regex "\"(?:\\{\\d\\})+\"\\s*-f" or CommandLine matches regex "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and (not(CommandLine contains "${env:path}"))
Microsoft Sentinel Converted KQL high T1098 ↗
Powerview Add-DomainObjectAcl DCSync AD Extend Right
Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
Show query 
(EventID == 5136 and AttributeLDAPDisplayName =~ "ntSecurityDescriptor" and (AttributeValue contains "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" or AttributeValue contains "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" or AttributeValue contains "89e95b76-444d-4c62-991a-0facbeda640c")) and (not((ObjectClass in~ ("dnsNode", "dnsZoneScope", "dnsZone"))))
Microsoft Sentinel Converted KQL high T1070.004 ↗
Prefetch File Deleted
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
Show query 
(TargetFilename contains ":\\Windows\\Prefetch\\" and TargetFilename endswith ".pf") and (not((Image endswith ":\\windows\\system32\\svchost.exe" and (User contains "AUTHORI" or User contains "AUTORI"))))
Microsoft Sentinel Converted KQL high T1528 ↗
Primary Refresh Token Access Attempt
Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
Show query 
riskEventType =~ "attemptedPrtAccess"
Microsoft Sentinel Converted KQL high T1105 ↗
PrintBrm ZIP Creation of Extraction
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Show query 
Image endswith "\\PrintBrm.exe" and (CommandLine contains " -f" and CommandLine contains ".zip")
Microsoft Sentinel Converted KQL high T1021 ↗
Privilege Escalation via Named Pipe Impersonation
Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
Show query 
((Image endswith "\\cmd.exe" or Image endswith "\\powershell.exe") or (OriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE"))) and (CommandLine contains "echo" and CommandLine contains ">" and CommandLine contains "\\\\.\\pipe\\")
Microsoft Sentinel Converted KQL high T1098 ↗
Privileged User Has Been Created
Detects the addition of a new user to a privileged group such as "root" or "sudo"
Show query 
"new user" and ("GID=0," or "UID=0," or "GID=10," or "GID=27,")
Microsoft Sentinel Converted KQL high T1003.001 ↗
Process Access via TrolleyExpress Exclusion
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
Show query 
(CommandLine contains "\\TrolleyExpress 7" or CommandLine contains "\\TrolleyExpress 8" or CommandLine contains "\\TrolleyExpress 9" or CommandLine contains "\\TrolleyExpress.exe 7" or CommandLine contains "\\TrolleyExpress.exe 8" or CommandLine contains "\\TrolleyExpress.exe 9" or CommandLine contains "\\TrolleyExpress.exe -ma ") or (Image endswith "\\TrolleyExpress.exe" and (not((OriginalFileName contains "CtxInstall" or isnull(OriginalFileName)))))
Microsoft Sentinel Converted KQL high T1190 ↗
Process Execution Error In JVM Based Application
Detects process execution related exceptions in JVM based apps, often relates to RCE
Show query 
"Cannot run program" or "java.lang.ProcessImpl" or "java.lang.ProcessBuilder"
Microsoft Sentinel Converted KQL high T1036 ↗
Process Execution From A Potentially Suspicious Folder
Detects a potentially suspicious execution from an uncommon folder.
Show query 
(Image contains ":\\Perflogs\\" or Image contains ":\\Users\\All Users\\" or Image contains ":\\Users\\Default\\" or Image contains ":\\Users\\NetworkService\\" or Image contains ":\\Windows\\addins\\" or Image contains ":\\Windows\\debug\\" or Image contains ":\\Windows\\Fonts\\" or Image contains ":\\Windows\\Help\\" or Image contains ":\\Windows\\IME\\" or Image contains ":\\Windows\\Media\\" or Image contains ":\\Windows\\repair\\" or Image contains ":\\Windows\\security\\" or Image contains ":\\Windows\\System32\\Tasks\\" or Image contains ":\\Windows\\Tasks\\" or Image contains "$Recycle.bin" or Image contains "\\config\\systemprofile\\" or Image contains "\\Intel\\Logs\\" or Image contains "\\RSA\\MachineKeys\\") and (not((Image startswith "C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\" or (Image startswith "C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\" and Image endswith "\\CitrixReceiverUpdater.exe"))))
Microsoft Sentinel Converted KQL high T1068 ↗
Process Explorer Driver Creation By Non-Sysinternals Binary
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
Show query 
(TargetFilename contains "\\PROCEXP" and TargetFilename endswith ".sys") and (not((Image endswith "\\procexp.exe" or Image endswith "\\procexp64.exe")))
Microsoft Sentinel Converted KQL high T1102 ↗
Process Initiated Network Connection To Ngrok Domain
Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Show query 
Initiated =~ "true" and (DestinationHostname endswith ".ngrok-free.app" or DestinationHostname endswith ".ngrok-free.dev" or DestinationHostname endswith ".ngrok.app" or DestinationHostname endswith ".ngrok.dev" or DestinationHostname endswith ".ngrok.io")
Microsoft Sentinel Converted KQL high T1003.001 ↗
Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Show query 
((Image endswith "\\rundll32.exe" or OriginalFileName =~ "RUNDLL32.EXE" or CommandLine contains "rundll32") and ((CommandLine contains "comsvcs" and CommandLine contains "full") and (CommandLine contains "#-" or CommandLine contains "#+" or CommandLine contains "#24" or CommandLine contains "24 " or CommandLine contains "MiniDump" or CommandLine contains "#65560"))) or ((CommandLine contains "24" and CommandLine contains "comsvcs" and CommandLine contains "full") and (CommandLine contains " #" or CommandLine contains ",#" or CommandLine contains ", #" or CommandLine contains "\"#"))
Microsoft Sentinel Converted KQL high T1003.001 ↗
Process Memory Dump via RdrLeakDiag.EXE
Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
Show query 
(Image endswith "\\rdrleakdiag.exe" or OriginalFileName =~ "RdrLeakDiag.exe") and (CommandLine contains "-memdmp" or CommandLine contains "/memdmp" or CommandLine contains "–memdmp" or CommandLine contains "—memdmp" or CommandLine contains "―memdmp" or CommandLine contains "fullmemdmp") and (CommandLine contains " -o " or CommandLine contains " /o " or CommandLine contains " –o " or CommandLine contains " —o " or CommandLine contains " ―o " or CommandLine contains " -p " or CommandLine contains " /p " or CommandLine contains " –p " or CommandLine contains " —p " or CommandLine contains " ―p ")
Microsoft Sentinel Converted KQL high T1543.003 ↗
ProcessHacker Privilege Elevation
Detects a ProcessHacker tool that elevated privileges to a very high level
Show query 
Provider_Name =~ "Service Control Manager" and EventID == 7045 and ServiceName startswith "ProcessHacker" and AccountName =~ "LocalSystem"
Microsoft Sentinel Converted KQL high T1021.002 ↗
Protected Storage Service Access
Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
Show query 
EventID == 5145 and ShareName contains "IPC" and RelativeTargetName =~ "protected_storage"
Microsoft Sentinel Converted KQL high T1218 ↗
Proxy Execution Via Wuauclt.EXE
Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
Show query 
((Image endswith "\\wuauclt.exe" or OriginalFileName =~ "wuauclt.exe") and (CommandLine contains "UpdateDeploymentProvider" and CommandLine contains "RunHandlerComServer")) and (not((CommandLine contains " /UpdateDeploymentProvider UpdateDeploymentProvider.dll " or CommandLine contains " wuaueng.dll " or (CommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or CommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (CommandLine contains ":\\Windows\\WinSxS\\" and CommandLine contains "\\UpdateDeploy.dll /ClassId "))))
Microsoft Sentinel Converted KQL high
PsExec Service Child Process Execution as LOCAL SYSTEM
Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
Show query 
ParentImage =~ "C:\\Windows\\PSEXESVC.exe" and (User contains "AUTHORI" or User contains "AUTORI")
Microsoft Sentinel Converted KQL high T1587.001 ↗
PsExec/PAExec Escalation to LOCAL SYSTEM
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
Show query 
(CommandLine contains " -s cmd" or CommandLine contains " /s cmd" or CommandLine contains " –s cmd" or CommandLine contains " —s cmd" or CommandLine contains " ―s cmd" or CommandLine contains " -s -i cmd" or CommandLine contains " -s /i cmd" or CommandLine contains " -s –i cmd" or CommandLine contains " -s —i cmd" or CommandLine contains " -s ―i cmd" or CommandLine contains " /s -i cmd" or CommandLine contains " /s /i cmd" or CommandLine contains " /s –i cmd" or CommandLine contains " /s —i cmd" or CommandLine contains " /s ―i cmd" or CommandLine contains " –s -i cmd" or CommandLine contains " –s /i cmd" or CommandLine contains " –s –i cmd" or CommandLine contains " –s —i cmd" or CommandLine contains " –s ―i cmd" or CommandLine contains " —s -i cmd" or CommandLine contains " —s /i cmd" or CommandLine contains " —s –i cmd" or CommandLine contains " —s —i cmd" or CommandLine contains " —s ―i cmd" or CommandLine contains " ―s -i cmd" or CommandLine contains " ―s /i cmd" or CommandLine contains " ―s –i cmd" or CommandLine contains " ―s —i cmd" or CommandLine contains " ―s ―i cmd" or CommandLine contains " -i -s cmd" or CommandLine contains " -i /s cmd" or CommandLine contains " -i –s cmd" or CommandLine contains " -i —s cmd" or CommandLine contains " -i ―s cmd" or CommandLine contains " /i -s cmd" or CommandLine contains " /i /s cmd" or CommandLine contains " /i –s cmd" or CommandLine contains " /i —s cmd" or CommandLine contains " /i ―s cmd" or CommandLine contains " –i -s cmd" or CommandLine contains " –i /s cmd" or CommandLine contains " –i –s cmd" or CommandLine contains " –i —s cmd" or CommandLine contains " –i ―s cmd" or CommandLine contains " —i -s cmd" or CommandLine contains " —i /s cmd" or CommandLine contains " —i –s cmd" or CommandLine contains " —i —s cmd" or CommandLine contains " —i ―s cmd" or CommandLine contains " ―i -s cmd" or CommandLine contains " ―i /s cmd" or CommandLine contains " ―i –s cmd" or CommandLine contains " ―i —s cmd" or CommandLine contains " ―i ―s cmd" or CommandLine contains " -s pwsh" or CommandLine contains " /s pwsh" or CommandLine contains " –s pwsh" or CommandLine contains " —s pwsh" or CommandLine contains " ―s pwsh" or CommandLine contains " -s -i pwsh" or CommandLine contains " -s /i pwsh" or CommandLine contains " -s –i pwsh" or CommandLine contains " -s —i pwsh" or CommandLine contains " -s ―i pwsh" or CommandLine contains " /s -i pwsh" or CommandLine contains " /s /i pwsh" or CommandLine contains " /s –i pwsh" or CommandLine contains " /s —i pwsh" or CommandLine contains " /s ―i pwsh" or CommandLine contains " –s -i pwsh" or CommandLine contains " –s /i pwsh" or CommandLine contains " –s –i pwsh" or CommandLine contains " –s —i pwsh" or CommandLine contains " –s ―i pwsh" or CommandLine contains " —s -i pwsh" or CommandLine contains " —s /i pwsh" or CommandLine contains " —s –i pwsh" or CommandLine contains " —s —i pwsh" or CommandLine contains " —s ―i pwsh" or CommandLine contains " ―s -i pwsh" or CommandLine contains " ―s /i pwsh" or CommandLine contains " ―s –i pwsh" or CommandLine contains " ―s —i pwsh" or CommandLine contains " ―s ―i pwsh" or CommandLine contains " -i -s pwsh" or CommandLine contains " -i /s pwsh" or CommandLine contains " -i –s pwsh" or CommandLine contains " -i —s pwsh" or CommandLine contains " -i ―s pwsh" or CommandLine contains " /i -s pwsh" or CommandLine contains " /i /s pwsh" or CommandLine contains " /i –s pwsh" or CommandLine contains " /i —s pwsh" or CommandLine contains " /i ―s pwsh" or CommandLine contains " –i -s pwsh" or CommandLine contains " –i /s pwsh" or CommandLine contains " –i –s pwsh" or CommandLine contains " –i —s pwsh" or CommandLine contains " –i ―s pwsh" or CommandLine contains " —i -s pwsh" or CommandLine contains " —i /s pwsh" or CommandLine contains " —i –s pwsh" or CommandLine contains " —i —s pwsh" or CommandLine contains " —i ―s pwsh" or CommandLine contains " ―i -s pwsh" or CommandLine contains " ―i /s pwsh" or CommandLine contains " ―i –s pwsh" or CommandLine contains " ―i —s pwsh" or CommandLine contains " ―i ―s pwsh" or CommandLine contains " -s powershell" or CommandLine contains " /s powershell" or CommandLine contains " –s powershell" or CommandLine contains " —s powershell" or CommandLine contains " ―s powershell" or CommandLine contains " -s -i powershell" or CommandLine contains " -s /i powershell" or CommandLine contains " -s –i powershell" or CommandLine contains " -s —i powershell" or CommandLine contains " -s ―i powershell" or CommandLine contains " /s -i powershell" or CommandLine contains " /s /i powershell" or CommandLine contains " /s –i powershell" or CommandLine contains " /s —i powershell" or CommandLine contains " /s ―i powershell" or CommandLine contains " –s -i powershell" or CommandLine contains " –s /i powershell" or CommandLine contains " –s –i powershell" or CommandLine contains " –s —i powershell" or CommandLine contains " –s ―i powershell" or CommandLine contains " —s -i powershell" or CommandLine contains " —s /i powershell" or CommandLine contains " —s –i powershell" or CommandLine contains " —s —i powershell" or CommandLine contains " —s ―i powershell" or CommandLine contains " ―s -i powershell" or CommandLine contains " ―s /i powershell" or CommandLine contains " ―s –i powershell" or CommandLine contains " ―s —i powershell" or CommandLine contains " ―s ―i powershell" or CommandLine contains " -i -s powershell" or CommandLine contains " -i /s powershell" or CommandLine contains " -i –s powershell" or CommandLine contains " -i —s powershell" or CommandLine contains " -i ―s powershell" or CommandLine contains " /i -s powershell" or CommandLine contains " /i /s powershell" or CommandLine contains " /i –s powershell" or CommandLine contains " /i —s powershell" or CommandLine contains " /i ―s powershell" or CommandLine contains " –i -s powershell" or CommandLine contains " –i /s powershell" or CommandLine contains " –i –s powershell" or CommandLine contains " –i —s powershell" or CommandLine contains " –i ―s powershell" or CommandLine contains " —i -s powershell" or CommandLine contains " —i /s powershell" or CommandLine contains " —i –s powershell" or CommandLine contains " —i —s powershell" or CommandLine contains " —i ―s powershell" or CommandLine contains " ―i -s powershell" or CommandLine contains " ―i /s powershell" or CommandLine contains " ―i –s powershell" or CommandLine contains " ―i —s powershell" or CommandLine contains " ―i ―s powershell") and (CommandLine contains "psexec" or CommandLine contains "paexec" or CommandLine contains "accepteula")
Microsoft Sentinel Converted KQL high T1021.001 ↗
Publicly Accessible RDP Service
Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
Show query 
not((ipv4_is_in_range(id.orig_h, "::1/128") or ipv4_is_in_range(id.orig_h, "10.0.0.0/8") or ipv4_is_in_range(id.orig_h, "127.0.0.0/8") or ipv4_is_in_range(id.orig_h, "172.16.0.0/12") or ipv4_is_in_range(id.orig_h, "192.168.0.0/16") or ipv4_is_in_range(id.orig_h, "169.254.0.0/16") or ipv4_is_in_range(id.orig_h, "2620:83:8000::/48") or ipv4_is_in_range(id.orig_h, "fc00::/7") or ipv4_is_in_range(id.orig_h, "fe80::/10")))
Microsoft Sentinel Converted KQL high T1685 ↗
Python Function Execution Security Warning Disabled In Excel
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
Show query 
(CommandLine contains "\\Microsoft\\Office\\" and CommandLine contains "\\Excel\\Security" and CommandLine contains "PythonFunctionWarnings") and CommandLine contains " 0"
Microsoft Sentinel Converted KQL high T1685 ↗
Python Function Execution Security Warning Disabled In Excel - Registry
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
Show query 
TargetObject contains "\\Microsoft\\Office\\" and TargetObject endswith "\\Excel\\Security\\PythonFunctionWarnings" and Details =~ "DWORD (0x00000001)"
Microsoft Sentinel Converted KQL high T1027.010 ↗
Python One-Liners with Base64 Decoding
Detects Python one-liners that use base64 decoding functions in command line executions. Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
Show query 
(Image contains "\\python" or OriginalFileName contains "python") and ((CommandLine contains "import" and CommandLine contains "base64" and CommandLine contains " -c") and (CommandLine contains ".decode" or CommandLine contains "b16decode" or CommandLine contains "b32decode" or CommandLine contains "b32hexdecode" or CommandLine contains "b64decode" or CommandLine contains "b85decode" or CommandLine contains "z85decode"))
Microsoft Sentinel Converted KQL high T1027.010 ↗
Python One-Liners with Base64 Decoding - Linux
Detects the use of Python's base64 decoding functions in command line executions on Linux systems. Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
Show query 
Image contains "/python" and ((CommandLine contains "import" and CommandLine contains "base64" and CommandLine contains " -c") and (CommandLine contains ".decode" or CommandLine contains "b16decode" or CommandLine contains "b32decode" or CommandLine contains "b32hexdecode" or CommandLine contains "b64decode" or CommandLine contains "b85decode" or CommandLine contains "z85decode"))
Microsoft Sentinel Converted KQL high
Python Reverse Shell Execution Via PTY And Socket Modules
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
Show query 
Image contains "python" and (CommandLine contains " -c " and CommandLine contains "import" and CommandLine contains "pty" and CommandLine contains "socket" and CommandLine contains "spawn" and CommandLine contains ".connect")
Microsoft Sentinel Converted KQL high T1059 ↗
Python Spawning Pretty TTY on Windows
Detects python spawning a pretty tty
Show query 
(Image endswith "python.exe" or Image endswith "python3.exe" or Image endswith "python2.exe") and ((CommandLine contains "import pty" and CommandLine contains ".spawn(") or CommandLine contains "from pty import spawn")
Microsoft Sentinel Converted KQL high T1090.003 ↗
Query Tor Onion Address - DNS Client
Detects DNS resolution of an .onion address related to Tor routing networks
Show query 
EventID == 3008 and (QueryName endswith ".hiddenservice.net" or QueryName endswith ".onion.ca" or QueryName endswith ".onion.cab" or QueryName endswith ".onion.casa" or QueryName endswith ".onion.city" or QueryName endswith ".onion.direct" or QueryName endswith ".onion.dog" or QueryName endswith ".onion.glass" or QueryName endswith ".onion.gq" or QueryName endswith ".onion.guide" or QueryName endswith ".onion.in.net" or QueryName endswith ".onion.ink" or QueryName endswith ".onion.it" or QueryName endswith ".onion.link" or QueryName endswith ".onion.lt" or QueryName endswith ".onion.lu" or QueryName endswith ".onion.ly" or QueryName endswith ".onion.mn" or QueryName endswith ".onion.network" or QueryName endswith ".onion.nu" or QueryName endswith ".onion.pet" or QueryName endswith ".onion.plus" or QueryName endswith ".onion.pt" or QueryName endswith ".onion.pw" or QueryName endswith ".onion.rip" or QueryName endswith ".onion.sh" or QueryName endswith ".onion.si" or QueryName endswith ".onion.to" or QueryName endswith ".onion.top" or QueryName endswith ".onion.ws" or QueryName endswith ".onion" or QueryName endswith ".s1.tor-gateways.de" or QueryName endswith ".s2.tor-gateways.de" or QueryName endswith ".s3.tor-gateways.de" or QueryName endswith ".s4.tor-gateways.de" or QueryName endswith ".s5.tor-gateways.de" or QueryName endswith ".t2w.pw" or QueryName endswith ".tor2web.ae.org" or QueryName endswith ".tor2web.blutmagie.de" or QueryName endswith ".tor2web.com" or QueryName endswith ".tor2web.fi" or QueryName endswith ".tor2web.io" or QueryName endswith ".tor2web.org" or QueryName endswith ".tor2web.xyz" or QueryName endswith ".torlink.co")
Microsoft Sentinel Converted KQL high T1686.003 ↗
RDP Connection Allowed Via Netsh.EXE
Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
Show query 
(Image endswith "\\netsh.exe" or OriginalFileName =~ "netsh.exe") and ((CommandLine contains "firewall " and CommandLine contains "add " and CommandLine contains "tcp " and CommandLine contains "3389") and (CommandLine contains "portopening" or CommandLine contains "allow"))
Microsoft Sentinel Converted KQL high T1021.001 ↗
RDP Login from Localhost
RDP login with localhost source address may be a tunnelled login
Show query 
EventID == 4624 and LogonType == 10 and (IpAddress in~ ("::1", "127.0.0.1"))
Microsoft Sentinel Converted KQL high T1021.001 ↗
RDP Over Reverse SSH Tunnel
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
Show query 
(Image endswith "\\svchost.exe" and Initiated =~ "true" and SourcePort == 3389) and (ipv4_is_in_range(DestinationIp, "127.0.0.0/8") or ipv4_is_in_range(DestinationIp, "::1/128"))
Microsoft Sentinel Converted KQL high T1090 ↗
RDP Port Forwarding Rule Added Via Netsh.EXE
Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
Show query 
(Image endswith "\\netsh.exe" or OriginalFileName =~ "netsh.exe") and (CommandLine contains " i" and CommandLine contains " p" and CommandLine contains "=3389" and CommandLine contains " c")
Microsoft Sentinel Converted KQL high T1112 ↗
RDP Sensitive Settings Changed
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. Below is a list of registry keys/values that are monitored by this rule: - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. - fAllowUnsolicited: Allows unsolicited remote assistance offers. - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. - SecurityLayer: Specifies the security layer used for RDP connections.
Show query 
(((TargetObject contains "\\Control\\Terminal Server\\" or TargetObject contains "\\Windows NT\\Terminal Services\\") and TargetObject endswith "\\Shadow" and (Details in~ ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)"))) or ((TargetObject contains "\\Control\\Terminal Server\\" or TargetObject contains "\\Windows NT\\Terminal Services\\") and (TargetObject endswith "\\DisableRemoteDesktopAntiAlias" or TargetObject endswith "\\DisableSecuritySettings" or TargetObject endswith "\\fAllowUnsolicited" or TargetObject endswith "\\fAllowUnsolicitedFullControl") and Details =~ "DWORD (0x00000001)") or (TargetObject contains "\\Control\\Terminal Server\\InitialProgram" or TargetObject contains "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or TargetObject contains "\\services\\TermService\\Parameters\\ServiceDll" or TargetObject contains "\\Terminal Server\\WinStations\\RDP-Tcp\\SecurityLayer" or TargetObject contains "\\Windows NT\\Terminal Services\\InitialProgram")) and (not((TargetObject endswith "\\SecurityLayer" and Details =~ "DWORD (0x00000002)")))
Microsoft Sentinel Converted KQL high T1021.001 ↗
RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
Show query 
EventID == 5156 and ((SourcePort == 3389 and (DestAddress in~ ("::1") or DestAddress startswith "127.")) or (DestPort == 3389 and (SourceAddress in~ ("::1") or SourceAddress startswith "127."))) and (not((FilterOrigin =~ "AppContainer Loopback" or (Application endswith "\\thor.exe" or Application endswith "\\thor64.exe"))))
Microsoft Sentinel Converted KQL high T1021.001 ↗
RDP to HTTP or HTTPS Target Ports
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
Show query 
Image endswith "\\svchost.exe" and Initiated =~ "true" and SourcePort == 3389 and (DestinationPort in~ ("80", "443"))
Microsoft Sentinel Converted KQL high
RTCore Suspicious Service Installation
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
Show query 
Provider_Name =~ "Service Control Manager" and EventID == 7045 and ServiceName =~ "RTCore64"
Microsoft Sentinel Converted KQL high T1685 ↗
Raccine Uninstall
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Show query 
(CommandLine contains "taskkill " and CommandLine contains "RaccineSettings.exe") or (CommandLine contains "reg.exe" and CommandLine contains "delete" and CommandLine contains "Raccine Tray") or (CommandLine contains "schtasks" and CommandLine contains "/DELETE" and CommandLine contains "Raccine Rules Updater")
Microsoft Sentinel Converted KQL high T1560.001 ↗
Rar Usage with Password and Compression Level
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
Show query 
CommandLine contains " -hp" and (CommandLine contains " -m" or CommandLine contains " a ")
Microsoft Sentinel Converted KQL high T1055 ↗
Rare Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Show query 
(SourceImage endswith "\\bash.exe" or SourceImage endswith "\\cscript.exe" or SourceImage endswith "\\cvtres.exe" or SourceImage endswith "\\defrag.exe" or SourceImage endswith "\\dialer.exe" or SourceImage endswith "\\dnx.exe" or SourceImage endswith "\\esentutl.exe" or SourceImage endswith "\\excel.exe" or SourceImage endswith "\\expand.exe" or SourceImage endswith "\\find.exe" or SourceImage endswith "\\findstr.exe" or SourceImage endswith "\\forfiles.exe" or SourceImage endswith "\\gpupdate.exe" or SourceImage endswith "\\hh.exe" or SourceImage endswith "\\installutil.exe" or SourceImage endswith "\\lync.exe" or SourceImage endswith "\\makecab.exe" or SourceImage endswith "\\mDNSResponder.exe" or SourceImage endswith "\\monitoringhost.exe" or SourceImage endswith "\\msbuild.exe" or SourceImage endswith "\\mshta.exe" or SourceImage endswith "\\mspaint.exe" or SourceImage endswith "\\outlook.exe" or SourceImage endswith "\\ping.exe" or SourceImage endswith "\\provtool.exe" or SourceImage endswith "\\python.exe" or SourceImage endswith "\\regsvr32.exe" or SourceImage endswith "\\robocopy.exe" or SourceImage endswith "\\runonce.exe" or SourceImage endswith "\\sapcimc.exe" or SourceImage endswith "\\smartscreen.exe" or SourceImage endswith "\\spoolsv.exe" or SourceImage endswith "\\tstheme.exe" or SourceImage endswith "\\userinit.exe" or SourceImage endswith "\\vssadmin.exe" or SourceImage endswith "\\vssvc.exe" or SourceImage endswith "\\w3wp.exe" or SourceImage endswith "\\winscp.exe" or SourceImage endswith "\\winword.exe" or SourceImage endswith "\\wmic.exe" or SourceImage endswith "\\wscript.exe") and (not((((SourceImage in~ ("C:\\Windows\\System32\\Defrag.exe", "C:\\Windows\\System32\\makecab.exe")) and TargetImage =~ "C:\\Windows\\System32\\conhost.exe") or (SourceImage =~ "C:\\Windows\\System32\\provtool.exe" and TargetImage =~ "C:\\Windows\\System32\\svchost.exe") or (SourceImage =~ "C:\\Windows\\System32\\provtool.exe" and TargetImage =~ "System") or (SourceImage =~ "C:\\Windows\\System32\\userinit.exe" and TargetImage =~ "C:\\Windows\\explorer.exe") or (SourceImage endswith "\\WINWORD.EXE" and (TargetImage startswith "C:\\Program Files (x86)\\" or TargetImage startswith "C:\\Program Files\\")) or ((SourceImage startswith "C:\\Program Files\\Microsoft Office\\" or SourceImage startswith "C:\\Program Files (x86)\\Microsoft Office\\") and TargetImage =~ "System")))) and (not((SourceImage endswith "\\SysWOW64\\explorer.exe" and (TargetImage in~ ("C:\\Program Files (x86)\\VMware\\VMware Tools\\vmtoolsd.exe", "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe")))))
Microsoft Sentinel Converted KQL high T1071.001 ↗
Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
Show query 
''c-uri'' contains ".paste.ee/r/" or ''c-uri'' contains ".pastebin.com/raw/" or ''c-uri'' contains ".hastebin.com/raw/" or ('c-uri' contains ".ghostbin.co/paste/" and 'c-uri' contains "/raw/") or ''c-uri'' contains "pastetext.net/" or ''c-uri'' contains "pastebin.pl/" or ''c-uri'' contains "paste.ee/"
Showing 901-950 of 3,763
Prev 19 Next
SOC and Response
Detection Engineering
Threat Hunting
Red Team and Pentest
Compliance and GRC
About
threatengine.sh