Microsoft Sentinel
3,763 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 3,763
Microsoft Sentinel
Converted
KQL
high
Recon Activity via SASec
Detects remote RPC calls to read information about scheduled tasks via SASec
Show query
(EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "378e52b0-c0a9-11cf-822d-00aa0051e40f") and (not((OpNum in~ ("0", "1"))))Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
Show query
EventID == 4661 and AccessMask =~ "0x2d" and (ObjectType in~ ("SAM_USER", "SAM_GROUP")) and ObjectName startswith "S-1-5-21-" and (ObjectName endswith "-500" or ObjectName endswith "-512")RedMimicry Winnti Playbook Registry Manipulation
Detects actions caused by the RedMimicry Winnti playbook
Show query
TargetObject contains "HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data"
Reg Add Suspicious Paths
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
Show query
(Image endswith "\\reg.exe" or OriginalFileName =~ "reg.exe") and (CommandLine contains "\\AppDataLow\\Software\\Microsoft\\" or CommandLine contains "\\Policies\\Microsoft\\Windows\\OOBE" or CommandLine contains "\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" or CommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon" or CommandLine contains "\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" or CommandLine contains "\\Microsoft\\Windows Defender\\")
Regedit as Trusted Installer
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
Show query
Image endswith "\\regedit.exe" and (ParentImage endswith "\\TrustedInstaller.exe" or ParentImage endswith "\\ProcessHacker.exe")
Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process
Show query
EventID == 4611 and LogonProcessName =~ "User32LogonProcesss"
Registry Disable System Restore
Detects the modification of the registry to disable a system restore on the computer
Show query
(TargetObject contains "\\Policies\\Microsoft\\Windows NT\\SystemRestore" or TargetObject contains "\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore") and (TargetObject endswith "DisableConfig" or TargetObject endswith "DisableSR") and Details =~ "DWORD (0x00000001)"
Registry Export of Third-Party Credentials
Detects the use of reg.exe to export registry paths associated with third-party credentials.
Credential stealers have been known to use this technique to extract sensitive information from the registry.
Show query
(Image endswith "\\reg.exe" or OriginalFileName =~ "reg.exe") and (CommandLine contains "save" or CommandLine contains "export") and (CommandLine contains "\\Software\\Aerofox\\Foxmail\\V3.1" or CommandLine contains "\\Software\\Aerofox\\FoxmailPreview" or CommandLine contains "\\Software\\DownloadManager\\Passwords" or CommandLine contains "\\Software\\FTPWare\\COREFTP\\Sites" or CommandLine contains "\\Software\\IncrediMail\\Identities" or CommandLine contains "\\Software\\Martin Prikryl\\WinSCP 2\\Sessions" or CommandLine contains "\\Software\\Mobatek\\MobaXterm" or CommandLine contains "\\Software\\OpenSSH\\Agent\\Keys" or CommandLine contains "\\Software\\OpenVPN-GUI\\configs" or CommandLine contains "\\Software\\ORL\\WinVNC3\\Password" or CommandLine contains "\\Software\\Qualcomm\\Eudora\\CommandLine" or CommandLine contains "\\Software\\RealVNC\\WinVNC4" or CommandLine contains "\\Software\\RimArts\\B2\\Settings" or CommandLine contains "\\Software\\SimonTatham\\PuTTY\\Sessions" or CommandLine contains "\\Software\\SimonTatham\\PuTTY\\SshHostKeys" or CommandLine contains "\\Software\\Sota\\FFFTP" or CommandLine contains "\\Software\\TightVNC\\Server" or CommandLine contains "\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin")
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
Show query
(TargetObject endswith "\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\\OracleOciLib" and (not(Details contains "oci.dll"))) or (TargetObject endswith "\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\\OracleOciLibPath" and (not(Details contains "%SystemRoot%\\System32\\")))
Registry Persistence Mechanisms in Recycle Bin
Detects persistence registry keys for Recycle Bin
Show query
(EventType =~ "RenameKey" and NewName contains "\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open") or (EventType =~ "SetValue" and TargetObject contains "\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command\\(Default)")Registry Persistence via Explorer Run Key
Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
Show query
TargetObject endswith "\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" and (Details contains ":\\$Recycle.bin\\" or Details contains ":\\ProgramData\\" or Details contains ":\\Temp\\" or Details contains ":\\Users\\Default\\" or Details contains ":\\Users\\Public\\" or Details contains ":\\Windows\\Temp\\" or Details contains "\\AppData\\Local\\Temp\\")
Registry Persistence via Service in Safe Mode
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
Show query
((TargetObject contains "\\Control\\SafeBoot\\Minimal\\" or TargetObject contains "\\Control\\SafeBoot\\Network\\") and TargetObject endswith "\\(Default)" and Details =~ "Service") and (not(((Image =~ "C:\\WINDOWS\\system32\\msiexec.exe" and (TargetObject endswith "\\Control\\SafeBoot\\Minimal\\SAVService\\(Default)" or TargetObject endswith "\\Control\\SafeBoot\\Network\\SAVService\\(Default)")) or (Image endswith "\\MBAMInstallerService.exe" and TargetObject endswith "\\MBAMService\\(Default)" and Details =~ "Service") or (Image =~ "C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe" and (TargetObject endswith "\\Control\\SafeBoot\\Minimal\\Hexnode Updater\\(Default)" or TargetObject endswith "\\Control\\SafeBoot\\Network\\Hexnode Updater\\(Default)" or TargetObject endswith "\\Control\\SafeBoot\\Minimal\\Hexnode Agent\\(Default)" or TargetObject endswith "\\Control\\SafeBoot\\Network\\Hexnode Agent\\(Default)") and Details =~ "Service"))))
Regsvr32 DLL Execution With Suspicious File Extension
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
Show query
(Image endswith "\\regsvr32.exe" or OriginalFileName =~ "REGSVR32.EXE") and (CommandLine endswith ".bin" or CommandLine endswith ".bmp" or CommandLine endswith ".cr2" or CommandLine endswith ".dat" or CommandLine endswith ".eps" or CommandLine endswith ".gif" or CommandLine endswith ".ico" or CommandLine endswith ".jpeg" or CommandLine endswith ".jpg" or CommandLine endswith ".log" or CommandLine endswith ".nef" or CommandLine endswith ".orf" or CommandLine endswith ".png" or CommandLine endswith ".raw" or CommandLine endswith ".rtf" or CommandLine endswith ".sr2" or CommandLine endswith ".temp" or CommandLine endswith ".tif" or CommandLine endswith ".tiff" or CommandLine endswith ".tmp" or CommandLine endswith ".txt")
Regsvr32 Execution From Highly Suspicious Location
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
Show query
(Image endswith "\\regsvr32.exe" or OriginalFileName =~ "REGSVR32.EXE") and ((CommandLine contains ":\\PerfLogs\\" or CommandLine contains ":\\Temp\\" or CommandLine contains "\\Windows\\Registration\\CRMLog" or CommandLine contains "\\Windows\\System32\\com\\dmp\\" or CommandLine contains "\\Windows\\System32\\FxsTmp\\" or CommandLine contains "\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or CommandLine contains "\\Windows\\System32\\spool\\drivers\\color\\" or CommandLine contains "\\Windows\\System32\\spool\\PRINTERS\\" or CommandLine contains "\\Windows\\System32\\spool\\SERVERS\\" or CommandLine contains "\\Windows\\System32\\Tasks_Migrated\\" or CommandLine contains "\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or CommandLine contains "\\Windows\\SysWOW64\\com\\dmp\\" or CommandLine contains "\\Windows\\SysWOW64\\FxsTmp\\" or CommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or CommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or CommandLine contains "\\Windows\\Tasks\\" or CommandLine contains "\\Windows\\Tracing\\") or ((CommandLine contains " \"C:\\" or CommandLine contains " C:\\" or CommandLine contains " 'C:\\" or CommandLine contains "D:\\") and (not((CommandLine contains "C:\\Program Files (x86)\\" or CommandLine contains "C:\\Program Files\\" or CommandLine contains "C:\\ProgramData\\" or CommandLine contains "C:\\Users\\" or CommandLine contains " C:\\Windows\\" or CommandLine contains " \"C:\\Windows\\" or CommandLine contains " 'C:\\Windows\\"))))) and (not((CommandLine =~ "" or isnull(CommandLine))))
Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
Show query
("Adfind" or "ASP/BackDoor " or "ATK/" or "Backdoor.ASP" or "Backdoor.Cobalt" or "Backdoor.JSP" or "Backdoor.PHP" or "Blackworm" or "Brutel" or "BruteR" or "Chopper" or "Cobalt" or "COBEACON" or "Cometer" or "CRYPTES" or "Cryptor" or "Destructor" or "DumpCreds" or "Exploit.Script.CVE" or "FastReverseProxy" or "Filecoder" or "GrandCrab " or "HackTool" or "HKTL" or "HTool-" or "/HTool" or ".HTool" or "IISExchgSpawnCMD" or "Impacket" or "JSP/BackDoor " or "Keylogger" or "Koadic" or "Krypt" or "Lazagne" or "Metasploit" or "Meterpreter" or "MeteTool" or "mikatz" or "Mimikatz" or "Mpreter" or "MsfShell" or "Nighthawk" or "Packed.Generic.347" or "PentestPowerShell" or "Phobos" or "PHP/BackDoor " or "Potato" or "PowerSploit" or "PowerSSH" or "PshlSpy" or "PSWTool" or "PWCrack" or "PWDump" or "Ransom" or "Rozena" or "Ryzerlo" or "Sbelt" or "Seatbelt" or "SecurityTool " or "SharpDump" or "Shellcode" or "Sliver" or "Splinter" or "Swrort" or "Tescrypt" or "TeslaCrypt" or "TurtleLoader" or "Valyria" or "Webshell") and (not((("anti_ransomware_service.exe" or "Anti-Ransomware" or "Crack" or "cyber-protect-service.exe" or "encryptor" or "Keygen") or Level == 4 or Provider_Name =~ "Microsoft-Windows-RestartManager")))Relevant ClamAV Message
Detects relevant ClamAV messages
Show query
"Trojan*FOUND" or "VirTool*FOUND" or "Webshell*FOUND" or "Rootkit*FOUND" or "Htran*FOUND"
Remote Access Tool - AnyDesk Silent Installation
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
Show query
CommandLine contains "--install" and CommandLine contains "--start-with-win" and CommandLine contains "--silent"
Remote Access Tool - Anydesk Execution From Suspicious Folder
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Show query
((Image endswith "\\AnyDesk.exe" or Image endswith "\\AnyDeskMSI.exe") or Description =~ "AnyDesk" or Product =~ "AnyDesk" or Company =~ "AnyDesk Software GmbH") and (not((Image contains "\\AppData\\" or Image contains "Program Files (x86)\\AnyDesk" or Image contains "Program Files\\AnyDesk")))
Remote Access Tool - Renamed MeshAgent Execution - MacOS
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Show query
(CommandLine contains "--meshServiceName" or OriginalFileName contains "meshagent") and (not((Image endswith "/meshagent" or Image endswith "/meshagent_osx64")))
Remote Access Tool - Renamed MeshAgent Execution - Windows
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Show query
(CommandLine contains "--meshServiceName" or OriginalFileName contains "meshagent") and (not(Image endswith "\\meshagent.exe"))
Remote Access Tool - ScreenConnect Server Web Shell Execution
Detects potential web shell execution from the ScreenConnect server process.
Show query
ParentImage endswith "\\ScreenConnect.Service.exe" and (Image endswith "\\cmd.exe" or Image endswith "\\csc.exe")
Microsoft Sentinel
Converted
KQL
high
Remote AppX Package Downloaded from File Sharing or CDN Domain
Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
Show query
EventID == 854 and (Path contains ".githubusercontent.com" or Path contains "anonfiles.com" or Path contains "cdn.discordapp.com" or Path contains "ddns.net" or Path contains "dl.dropboxusercontent.com" or Path contains "ghostbin.co" or Path contains "github.com" or Path contains "glitch.me" or Path contains "gofile.io" or Path contains "hastebin.com" or Path contains "mediafire.com" or Path contains "mega.nz" or Path contains "onrender.com" or Path contains "pages.dev" or Path contains "paste.ee" or Path contains "pastebin.com" or Path contains "pastebin.pl" or Path contains "pastetext.net" or Path contains "privatlab.com" or Path contains "privatlab.net" or Path contains "send.exploit.in" or Path contains "sendspace.com" or Path contains "storage.googleapis.com" or Path contains "storjshare.io" or Path contains "supabase.co" or Path contains "temp.sh" or Path contains "transfer.sh" or Path contains "trycloudflare.com" or Path contains "ufile.io" or Path contains "w3spaces.com" or Path contains "workers.dev")
Remote CHM File Download/Execution Via HH.EXE
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
Show query
(OriginalFileName =~ "HH.exe" or Image endswith "\\hh.exe") and (CommandLine contains "http://" or CommandLine contains "https://" or CommandLine contains "\\\\")
Remote DCOM/WMI Lateral Movement
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
Show query
EventLog =~ "RPCFW" and EventID == 3 and (InterfaceUuid in~ ("4d9f4ab8-7d1c-11cf-861e-0020af6e7c57", "99fcfec4-5260-101b-bbcb-00aa0021347a", "000001a0-0000-0000-c000-000000000046", "00000131-0000-0000-c000-000000000046", "00000143-0000-0000-c000-000000000046", "00000000-0000-0000-c000-000000000046"))
Microsoft Sentinel
Converted
KQL
high
Remote Encrypting File System Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Show query
EventLog =~ "RPCFW" and EventID == 3 and (InterfaceUuid in~ ("df1941c5-fe89-4e79-bf10-463657acf44d", "c681d488-d850-11d0-8c52-00c04fd90f7e"))
Microsoft Sentinel
Converted
KQL
high
Remote Event Log Recon
Detects remote RPC calls to get event log information via EVEN or EVEN6
Show query
EventLog =~ "RPCFW" and EventID == 3 and (InterfaceUuid in~ ("82273fdc-e32a-18c3-3f78-827929dc23ea", "f6beaff7-1e19-4fbb-9f8f-b89e2018337c"))Remote LSASS Process Access Through Windows Remote Management
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
Show query
(TargetImage endswith "\\lsass.exe" and SourceImage endswith ":\\Windows\\system32\\wsmprovhost.exe") and (not(GrantedAccess =~ "0x80000000"))
Remote PowerShell Session (PS Module)
Detects remote PowerShell sessions
Show query
(ContextInfo contains " = ServerRemoteHost " and ContextInfo contains "wsmprovhost.exe") and (not(ContextInfo contains "\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1"))
Remote PowerShell Sessions Network Connections (WinRM)
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
Show query
EventID == 5156 and (DestPort in~ ("5985", "5986")) and LayerRTID == 44
Microsoft Sentinel
Converted
KQL
high
Remote Printing Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
Show query
EventLog =~ "RPCFW" and EventID == 3 and (InterfaceUuid in~ ("12345678-1234-abcd-ef00-0123456789ab", "76f03f96-cdfd-44fc-a22c-64950a001209", "0b6edbfa-4a24-4fc6-8a23-942b1eca65d1", "ae33069b-a2a8-46ee-a235-ddfd339be281"))Remote Registry Lateral Movement
Detects remote RPC calls to modify the registry and possible execute code
Show query
EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "338cd001-2244-31f1-aaaa-900038001003" and (OpNum in~ ("6", "7", "8", "13", "18", "19", "21", "22", "23", "35"))
Microsoft Sentinel
Converted
KQL
high
Remote Registry Recon
Detects remote RPC calls to collect information
Show query
(EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "338cd001-2244-31f1-aaaa-900038001003") and (not((OpNum in~ ("6", "7", "8", "13", "18", "19", "21", "22", "23", "35"))))Remote Schedule Task Lateral Movement via ATSvc
Detects remote RPC calls to create or execute a scheduled task via ATSvc
Show query
EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "1ff70682-0a51-30e8-076d-740be8cee98b" and (OpNum in~ ("0", "1"))Remote Schedule Task Lateral Movement via ITaskSchedulerService
Detects remote RPC calls to create or execute a scheduled task
Show query
EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "86d35949-83c9-4044-b424-db363231fd0c" and (OpNum in~ ("1", "3", "4", "10", "11", "12", "13", "14", "15"))Remote Schedule Task Lateral Movement via SASec
Detects remote RPC calls to create or execute a scheduled task via SASec
Show query
EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "378e52b0-c0a9-11cf-822d-00aa0051e40f" and (OpNum in~ ("0", "1"))
Microsoft Sentinel
Converted
KQL
high
Remote Schedule Task Recon via AtScv
Detects remote RPC calls to read information about scheduled tasks via AtScv
Show query
(EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "1ff70682-0a51-30e8-076d-740be8cee98b") and (not((OpNum in~ ("0", "1"))))
Microsoft Sentinel
Converted
KQL
high
Remote Schedule Task Recon via ITaskSchedulerService
Detects remote RPC calls to read information about scheduled tasks
Show query
(EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "86d35949-83c9-4044-b424-db363231fd0c") and (not((OpNum in~ ("1", "3", "4", "10", "11", "12", "13", "14", "15"))))
Microsoft Sentinel
Converted
KQL
high
Remote Server Service Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
Show query
EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "4b324fc8-1670-01d3-1278-5a47bf6ee188"
Remote Server Service Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Show query
EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "367abb81-9844-35f1-ad32-98f038001003"
Remote Thread Created In KeePass.EXE
Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
Show query
TargetImage endswith "\\KeePass.exe"
Microsoft Sentinel
Converted
KQL
high
Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Show query
TargetImage endswith "\\mstsc.exe" and (SourceImage contains ":\\Temp\\" or SourceImage contains ":\\Users\\Public\\" or SourceImage contains ":\\Windows\\PerfLogs\\" or SourceImage contains ":\\Windows\\Tasks\\" or SourceImage contains ":\\Windows\\Temp\\" or SourceImage contains "\\AppData\\Local\\Temp\\")
Remote Thread Creation Ttdinject.exe Proxy
Detects a remote thread creation of Ttdinject.exe used as proxy
Show query
SourceImage endswith "\\ttdinject.exe"
Remote XSL Execution Via Msxsl.EXE
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
Show query
Image endswith "\\msxsl.exe" and CommandLine contains "http"
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
Show query
CommandLine contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or CommandLine contains "Invoke-ATHRemoteFXvGPUDisableme"
Remotely Hosted HTA File Executed Via Mshta.EXE
Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
Show query
(Image endswith "\\mshta.exe" or OriginalFileName =~ "MSHTA.EXE") and (CommandLine contains "http://" or CommandLine contains "https://" or CommandLine contains "ftp://")
Removal Of AMSI Provider Registry Keys
Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Show query
(TargetObject endswith "{2781761E-28E0-4109-99FE-B9D127C57AFE}" or TargetObject endswith "{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}") and (not(((Image startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or Image startswith "C:\\Program Files\\Windows Defender\\" or Image startswith "C:\\Program Files (x86)\\Windows Defender\\") and Image endswith "\\MsMpEng.exe")))Remove Exported Mailbox from Exchange Webserver
Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
Show query
"Remove-MailboxExportRequest" and " -Identity " and " -Confirm \"False\""
Renamed AdFind Execution
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
Show query
((CommandLine contains "domainlist" or CommandLine contains "trustdmp" or CommandLine contains "dcmodes" or CommandLine contains "adinfo" or CommandLine contains " dclist " or CommandLine contains "computer_pwdnotreqd" or CommandLine contains "objectcategory=" or CommandLine contains "-subnets -f" or CommandLine contains "name=\"Domain Admins\"" or CommandLine contains "-sc u:" or CommandLine contains "domainncs" or CommandLine contains "dompol" or CommandLine contains " oudmp " or CommandLine contains "subnetdmp" or CommandLine contains "gpodmp" or CommandLine contains "fspdmp" or CommandLine contains "users_noexpire" or CommandLine contains "computers_active" or CommandLine contains "computers_pwdnotreqd") or (Hashes contains "IMPHASH=BCA5675746D13A1F246E2DA3C2217492" or Hashes contains "IMPHASH=53E117A96057EAF19C41380D0E87F1C2" or Hashes contains "IMPHASH=d144de8117df2beceaba2201ad304764" or Hashes contains "IMPHASH=12ce1c0f3f5837ecc18a3782408fa975" or Hashes contains "IMPHASH=4fbf3f084fbbb2470b80b2013134df35" or Hashes contains "IMPHASH=49b639b4acbecc49d72a01f357aa4930" or Hashes contains "IMPHASH=680dad9e300346e05a85023965867201" or Hashes contains "IMPHASH=21aa085d54992511b9f115355e468782") or OriginalFileName =~ "AdFind.exe") and (not(Image endswith "\\AdFind.exe"))
Renamed AutoIt Execution
Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.
AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.
Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
Show query
((CommandLine contains " /AutoIt3ExecuteScript" or CommandLine contains " /ErrorStdOut") or (Hashes contains "IMPHASH=FDC554B3A8683918D731685855683DDF" or Hashes contains "IMPHASH=CD30A61B60B3D60CECDB034C8C83C290" or Hashes contains "IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000") or (OriginalFileName in~ ("AutoIt3.exe", "AutoIt2.exe", "AutoIt.exe"))) and (not((Image endswith "\\AutoIt.exe" or Image endswith "\\AutoIt2.exe" or Image endswith "\\AutoIt3_x64.exe" or Image endswith "\\AutoIt3.exe")))Renamed BrowserCore.EXE Execution
Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
Show query
OriginalFileName =~ "BrowserCore.exe" and (not(Image endswith "\\BrowserCore.exe"))
Showing 951-1000 of 3,763