Tool
Hunt pack: Play
991 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Play - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 991Local Account Discovery With Wmic
The following analytic detects the execution of `wmic.exe` with command-line arguments used to query local user accounts, specifically the `useraccount` argument. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, or lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_wmic` (Processes.process=*useraccount*)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `local_account_discovery_with_wmic_filter`M365 Copilot Application Usage Pattern Anomalies
Detects M365 Copilot users exhibiting suspicious application usage patterns including multi-location access, abnormally high activity volumes, or access to multiple Copilot applications that may indicate account compromise or automated abuse. The detection aggregates M365 Copilot Graph API events per user, calculating metrics like distinct cities/countries accessed, unique IP addresses, number of different Copilot apps used, and average events per day over the observation period. Users are flagged when they access Copilot from multiple cities (cities_count > 1), generate excessive daily activity (events_per_day > 100), or use more than two different Copilot applications (app_count > 2), which are anomalous patterns suggesting credential compromise or bot-driven abuse.
Show query
`m365_copilot_graph_api` (appDisplayName="*Copilot*" OR appDisplayName="M365ChatClient" OR appDisplayName="OfficeAIAppChatCopilot") | eval user = userPrincipalName | stats count as events,
dc(location.city) as cities_count,
values(location.city) as city_list,
dc(location.countryOrRegion) as countries_count,
values(location.countryOrRegion) as country_list,
dc(ipAddress) as ip_count,
values(ipAddress) as ip_addresses,
dc(appDisplayName) as app_count,
values(appDisplayName) as apps_used,
dc(resourceDisplayName) as resource_count,
values(resourceDisplayName) as resources_accessed,
min(_time) as first_seen,
max(_time) as last_seen
by user
| eval days_active = round((last_seen - first_seen)/86400, 1) | eval first_seen = strftime(first_seen, "%Y-%m-%d %H:%M:%S") | eval last_seen = strftime(last_seen, "%Y-%m-%d %H:%M:%S") | eval events_per_day = if(days_active > 0, round(events/days_active, 2), events) | where cities_count > 1 OR events_per_day > 100 OR app_count > 2 | sort -events_per_day, -countries_count | `m365_copilot_application_usage_pattern_anomalies_filter`
M365 Copilot Session Origin Anomalies
Detects M365 Copilot users accessing from multiple geographic locations to identify potential account compromise, credential sharing, or impossible travel patterns. The detection aggregates M365 Copilot Graph API events per user, calculating distinct cities and countries accessed, unique IP addresses, and the observation timeframe to compute a locations-per-day metric that measures geographic mobility. Users accessing Copilot from more than one city (cities_count > 1) are flagged and sorted by country and city diversity, surfacing accounts exhibiting anomalous geographic patterns that suggest compromised credentials being used from distributed locations or simultaneous access from impossible travel distances.
Show query
`m365_copilot_graph_api` (appDisplayName="*Copilot*" OR appDisplayName="M365ChatClient" OR appDisplayName="OfficeAIAppChatCopilot")
| eval user = userPrincipalName
| stats count as events, dc(location.city) as cities_count, values(location.city) as city_list, dc(location.countryOrRegion) as countries_count, values(location.countryOrRegion) as country_list, dc(ipAddress) as ip_count, values(ipAddress) as ip_addresses, min(_time) as first_seen, max(_time) as last_seen
BY user
| eval days_active = round((last_seen - first_seen)/86400, 1)
| eval locations_per_day = if(days_active > 0, round(cities_count/days_active, 2), cities_count)
| eval first_seen = strftime(first_seen, "%Y-%m-%d %H:%M:%S")
| eval last_seen = strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| where cities_count > 1
| sort -countries_count, -cities_count
| `m365_copilot_session_origin_anomalies_filter`MCP Filesystem Server Suspicious Extension Write
This detection identifies attempts to create executable or script files through MCP filesystem server connections. Threat actors leveraging LLM-based tools may attempt to write malicious executables, scripts, or batch files to disk for persistence or code execution. The detection prioritizes files written to system directories or startup locations which indicate higher likelihood of malicious intent.
Show query
`mcp_server` method IN ("write_file", "create_file") direction=inbound
| spath output=file_path path=params.path
| spath output=file_content path=params.content
| eval dest=host
| eval file_extension=lower(mvindex(split(file_path, "."), -1))
| where file_extension IN (
"exe", "dll", "ps1", "bat", "cmd", "vbs", "js", "scr", "msi", "hta", "wsf", "wsh", "pif", "com", "cpl",
"sh", "bash", "zsh", "ksh", "csh", "tcsh", "fish",
"py", "pl", "rb", "php", "lua", "awk",
"so", "dylib", "bin", "elf", "run", "AppImage",
"deb", "rpm", "pkg", "dmg",
"plist", "service", "timer", "socket", "conf"
)
| eval
file_path_lower=lower(file_path),
is_system_path = if(match(file_path_lower, "(windows|system32|syswow64|program files|/usr|/bin|/sbin|/lib|/lib64|/etc|/opt)"), 1, 0),
is_startup_path = if(match(file_path_lower, "(startup|autorun|cron\.d|crontab|launchd|launchagents|launchdaemons|systemd|init\.d|rc\.d|rc\.local|profile\.d|bashrc|zshrc|bash_profile)"), 1, 0),
is_hidden_unix = if(match(file_path, "/\.[^/]+$"), 1, 0),
content_length=len(file_content)
| stats count min(_time) as firstTime max(_time) as lastTime values(file_path) as file_paths values(file_extension) as extensions max(is_system_path) as targets_system_path max(is_startup_path) as targets_startup_path max(is_hidden_unix) as targets_hidden_file avg(content_length) as avg_content_size by dest, method
| eval
targets_system_path=if(isnull(targets_system_path), 0, targets_system_path),
targets_startup_path=if(isnull(targets_startup_path), 0, targets_startup_path),
targets_hidden_file=if(isnull(targets_hidden_file), 0, targets_hidden_file)
| sort - targets_startup_path, - targets_system_path, - targets_hidden_file, - count
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table dest firstTime lastTime count method extensions file_paths targets_system_path targets_startup_path targets_hidden_file avg_content_size
| `mcp_filesystem_server_suspicious_extension_write_filter`
MCP Prompt Injection
This detection identifies potential prompt injection attempts within MCP (Model Context Protocol) communications by monitoring for known malicious phrases and patterns commonly used to manipulate AI assistants. Prompt injection is a critical vulnerability where adversaries embed hidden instructions in content processed by AI tools, attempting to override system prompts, bypass security controls, or hijack the AI's behavior. The search monitors JSON-RPC traffic for phrases such as "IGNORE PREVIOUS INSTRUCTIONS," "SYSTEM PROMPT OVERRIDE," and "ignore all security" which indicate attempts to subvert the AI's intended behavior and potentially execute unauthorized actions through the MCP toolchain.
Show query
`mcp_server` direction=inbound ( "IGNORE PREVIOUS INSTRUCTIONS" OR "AI_INSTRUCTION" OR "SYSTEM PROMPT OVERRIDE" OR "[SYSTEM]:" OR "ignore all security" OR "New directive" OR "ignore security policies" )
| eval dest=host
| eval injection_payload=coalesce('params.content_preview', 'params.result_preview')
| eval target_path='params.path'
| eval sql_query='params.query'
| stats count min(_time) as firstTime max(_time) as lastTime values(method) as method values(target_path) as target_path values(sql_query) as sql_query values(injection_payload) as injection_payload by dest, source
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table dest firstTime lastTime count source method target_path sql_query injection_payload
| `mcp_prompt_injection_filter`
MOVEit Certificate Store Access Failure
This detection identifies potential exploitation attempts of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer. It looks for log entries indicating failures to access the certificate store, which can occur when an attacker attempts to exploit the authentication bypass vulnerability. This behavior is a key indicator of attempts to impersonate valid users without proper credentials. While certificate store access failures can occur during normal operations, an unusual increase in such events, especially from unexpected sources, may indicate malicious activity.
Show query
`moveit_sftp_logs` "IpWorksKeyService: Caught exception of type IPWorksSSHException: The certificate store could not be opened"
| stats count
BY source _raw
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `moveit_certificate_store_access_failure_filter`MOVEit Empty Key Fingerprint Authentication Attempt
This detection identifies attempts to authenticate with an empty public key fingerprint in Progress MOVEit Transfer, which is a key indicator of potential exploitation of the CVE-2024-5806 vulnerability. Such attempts are characteristic of the authentication bypass technique used in this vulnerability, where attackers try to impersonate valid users without providing proper credentials. While occasional empty key fingerprint authentication attempts might occur due to misconfigurations, a sudden increase or attempts from unexpected sources could signify malicious activity. This analytic helps security teams identify and investigate potential exploitation attempts of the MOVEit Transfer authentication bypass vulnerability.
Show query
`moveit_sftp_logs` "UserAuthRequestHandler: SftpPublicKeyAuthenticator: Attempted to authenticate empty public key fingerprint"
| stats count
BY source _raw
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `moveit_empty_key_fingerprint_authentication_attempt_filter`MS Scripting Process Loading Ldap Module
The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant as it may indicate an attempt to query LDAP for host information, a behavior observed in FIN7 implants. If confirmed malicious, this could allow attackers to gather detailed Active Directory information, potentially leading to further exploitation or data exfiltration.
Show query
`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\Wldap32.dll", "*\\adsldp.dll", "*\\adsldpc.dll") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`MS Scripting Process Loading WMI Module
The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs. This activity is significant because it can indicate the presence of malware, such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering host information to send to a C2 server. If confirmed malicious, this behavior could allow attackers to collect sensitive system information and maintain persistence within the environment.
Show query
`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\fastprox.dll", "*\\wbemdisp.dll", "*\\wbemprox.dll", "*\\wbemsvc.dll" , "*\\wmiutils.dll", "*\\wbemcomn.dll") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`MacOS AMOS Stealer - Virtual Machine Check Activity
The following analytic detects AMOS Stealer VM check activity on macOS. It leverages osquery to monitor process events and identifies the execution of the "osascript" command along with specific commandline strings.
This activity is significant as AMOS stealer was seen using this pattern in order to check if the host is a Virtual Machine or not.
If confirmed malicious, this behavior indicate that the host is already infected by the AMOS stealer, which could allow attackers to execute arbitrary code, escalate privileges, steal information, or persist within the environment, posing a significant security risk.
Show query
`osquery_macro`
name=es_process_events
columns.cmdline="*osascript*"
columns.cmdline="* -e *"
columns.cmdline="*set*"
columns.cmdline="*system_profiler*"
columns.cmdline IN ("*VMware*", "*QEMU*")
| rename columns.* as *
| stats min(_time) as firstTime max(_time) as lastTime
values(cmdline) as cmdline,
values(pid) as pid,
values(parent) as parent,
values(path) as path,
values(signing_id) as signing_id,
by username host
| rename
username as user,
cmdline as process,
parent as parent_process,
path as process_path,
host as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_amos_stealer___virtual_machine_check_activity_filter`
MacOS LOLbin
The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period.
It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection.
If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.
Show query
`osquery_macro`
name=es_process_events
columns.cmdline IN (
"chmod*",
"crontab*",
"curl*",
"find*",
"funzip*",
"killall*",
"openssl*",
"screencapture*",
"wget*",
)
| rename columns.* as *
| stats count min(_time) as firstTime
max(_time) as lastTime
values(cmdline) as cmdline
values(pid) as pid
values(parent) as parent
values(path) as path
values(signing_id) as signing_id
dc(path) as dc_path
BY username host
| rename username as user
cmdline as process
path as process_path
host as dest
| where dc_path > 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_lolbin_filter`MacOS List Firewall Rules
This analytic detects attempts to enumerate or verify the configuration of the macOS application firewall.
Specifically, it monitors executions of `defaults read /Library/Preferences/com.apple.alf` and `/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate`.
These commands provide insight into firewall status, allowed applications, and explicit authorization rules.
While they are legitimate administrative operations, adversaries may leverage them to identify potential attack surfaces, determine whether the firewall is active, or enumerate allowed network flows.
Monitoring for these commands, particularly when executed by non-administrative users or at unusual times, can provide early indication of reconnaissance activity on macOS endpoints
Show query
| tstats `security_content_summariesonly` count values(Processes.parent_process) AS parent_process values(Processes.parent_process_exec) AS parent_process_exec values(Processes.parent_process_id) AS parent_process_id values(Processes.parent_process_name) AS parent_process_name values(Processes.parent_process_path) AS parent_process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ( Processes.process_name = "defaults" Processes.process = "* read *", Processes.process = "*/Library/Preferences/com.apple.alf*" ) OR ( Processes.process_name = "socketfilterfw" Processes.process = "*--getglobalstate*" ) by Processes.action Processes.dest Processes.process Processes.process_hash Processes.process_id Processes.process_name Processes.process_path Processes.user Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos_list_firewall_rules_filter`
MacOS Log Removal
Detects the deletion or modification of logs on MacOS systems by identifying execution of the rm command with command-line arguments referencing system.log or audit-related paths.
Adversaries may remove or alter log files to cover their tracks and hinder detection and forensic analysis. This behavior commonly occurs during post-exploitation cleanup.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process = "*system.log*"
AND
(
(Processes.process = "*rm *")
OR
(
Processes.process = "*audit*"
Processes.process = "* -s *"
)
)
by Processes.dest Processes.original_file_name Processes.parent_process_id
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id
Processes.process_current_directory Processes.process_name
Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_log_removal_filter`MacOS Network Share Discovery
Identifies execution of network share enumeration commands (smbutil, showmount) that can be leveraged by adversaries to discover accessible SMB and NFS resources, supporting internal reconnaissance and potential lateral movement.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process IN ("*showmount *", "*smbutil *")
by Processes.dest Processes.original_file_name Processes.parent_process_id
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id
Processes.process_current_directory Processes.process_name
Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_network_share_discovery_filter`Malicious PowerShell Process - Encoded Command
The following analytic detects the use of the EncodedCommand parameter in PowerShell processes.
It leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types.
This activity can be significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder.
If confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment.
Review parallel events to determine legitimacy and tune based on known administrative scripts.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_powershell`
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where match(process,"(?i)(?:^|\\s)(?:/(?!/)|--?|–{1,2}|—{1,2}|―{1,2})(?:ec|encodedcommand|encodedcomman|encodedcomma|encodedcomm|encodedcom|encodedco|encodedc|encoded|encode|encod|enco|enc|en|e(?=\\s))\\s+['\\\"]?[A-Za-z0-9+/=]{5,}['\\\"]?")
| `malicious_powershell_process___encoded_command_filter`Malicious PowerShell Process - Execution Policy Bypass
The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like "-ex" or "bypass." This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment.
Show query
| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_powershell` (Processes.process="* -ex*"
AND
Processes.process="* bypass *")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `malicious_powershell_process___execution_policy_bypass_filter`Malicious PowerShell Process With Obfuscation Techniques
The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk.
Show query
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,"`"))-1) + (mvcount(split(process, "^"))-1) + (mvcount(split(process, "'"))-1) | search num_obfuscation > 10 | `malicious_powershell_process_with_obfuscation_techniques_filter`
Microsoft SharePoint Server Elevation of Privilege
The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357.
It leverages the Web datamodel to monitor for specific API calls and HTTP methods indicative of privilege escalation attempts.
This activity is significant as it may indicate an attacker is trying to gain unauthorized privileged access to the SharePoint environment.
If confirmed malicious, the impact could include unauthorized access to sensitive data, potential data theft, and further compromise of the SharePoint server, leading to a broader security breach.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url IN (
"*/_api/web/siteusers*",
"*/_api/web/currentuser*"
)
Web.status=200
Web.http_method="GET"
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `microsoft_sharepoint_server_elevation_of_privilege_filter`Network Discovery Using Route Windows App
The following analytic detects the execution of the `route.exe` Windows application, commonly used for network discovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because adversaries often use `route.exe` to map network routes and identify potential targets within a network. If confirmed malicious, this behavior could allow attackers to gain insights into network topology, facilitating lateral movement and further exploitation. Note that false positives may occur due to legitimate administrative tasks or automated scripts.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=route.exe OR Processes.original_file_name=route.exe) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`
Network Share Discovery Via Dir Command
The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches.
Show query
`wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`Nginx ConnectWise ScreenConnect Authentication Bypass
The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via alternate paths or channels. It leverages Nginx access logs to identify web requests to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected ScreenConnect instance, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended.
Show query
`nginx_access_logs` uri_path IN ("*/SetupWizard.aspx/*","*/SetupWizard/") status=200 http_method=POST
| stats count min(_time) as firstTime max(_time) as lastTime
BY src, dest, http_user_agent,
url, uri_path, status,
http_method, sourcetype, source
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `nginx_connectwise_screenconnect_authentication_bypass_filter`Nishang PowershellTCPOneLine
The following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine utility, which initiates a callback to a remote Command and Control (C2) server. It leverages Endpoint Detection and Response (EDR) data, focusing on PowerShell processes that include specific .NET classes like Net.Sockets.TCPClient and System.Text.ASCIIEncoding. This activity is significant as it indicates potential remote control or data exfiltration attempts by an attacker. If confirmed malicious, this could lead to unauthorized remote access, data theft, or further compromise of the affected system.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_powershell` (Processes.process=*Net.Sockets.TCPClient*
AND
Processes.process=*System.Text.ASCIIEncoding*)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `nishang_powershelltcponeline_filter`Ntdsutil Export NTDS
The following analytic detects the use of Ntdsutil to export the Active Directory database (NTDS.dit). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because exporting NTDS.dit can be a precursor to offline password cracking, posing a severe security risk. If confirmed malicious, an attacker could gain access to sensitive credentials, potentially leading to unauthorized access and privilege escalation within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ntdsutil_export_ntds_filter`O365 Admin Consent Bypassed by Service Principal
The following analytic identifies instances where a service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent. It leverages `o365_management_activity` logs, specifically focusing on the 'Add app role assignment to service principal' operation. This activity is significant for SOCs as it may indicate a bypass of critical administrative controls, potentially leading to unauthorized access or privilege escalation. If confirmed malicious, this could allow an attacker to misuse automated processes to assign sensitive permissions, compromising the security of the environment.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment to service principal." | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | eval roleId = mvindex('ModifiedProperties{}.NewValue', 0) | eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1) | eval roleDescription = mvindex('ModifiedProperties{}.NewValue', 2) | eval dest_user = mvindex('Target{}.ID', 0) | search userType = "ServicePrincipal" | eval src_user = user | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user src vendor_account vendor_product dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_admin_consent_bypassed_by_service_principal_filter`O365 Application Available To Other Tenants
The following analytic identifies the configuration of Azure Active Directory Applications in a manner that allows authentication from external tenants or personal accounts. This configuration can lead to inappropriate or malicious access of any data or capabilities the application is allowed to access. This detection leverages the O365 Universal Audit Log data source.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add application.","Update application.") ModifiedProperties{}.Name=AvailableToOtherTenants | eval result = case(match(mvindex('ModifiedProperties{}.NewValue',mvfind('ModifiedProperties{}.Name',"AvailableToOtherTenants")),"false"),"removed",true(),"added"), object_name=mvindex('Target{}.ID', 3), signature=Operation, object_attrs = "AvailableToOtherTenants", user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) | search result = "added" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user src vendor_account vendor_product object_attrs object_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_application_available_to_other_tenants_filter`O365 Application Registration Owner Added
The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload. This activity is significant because assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. If confirmed malicious, an attacker could modify the application's settings, permissions, and behavior, leading to unauthorized data access, privilege escalation, or the introduction of malicious behavior within the application's operations.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation="Add owner to application." | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0) | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user src vendor_account vendor_product app_id app_displayName object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter`O365 ApplicationImpersonation Role Assigned
The following analytic detects the assignment of the ApplicationImpersonation role in Office 365 to a user or application. It uses the Office 365 Management Activity API to monitor Azure Active Directory audit logs for role assignment events. This activity is significant because the ApplicationImpersonation role allows impersonation of any user, enabling access to and modification of their mailbox. If confirmed malicious, an attacker could gain unauthorized access to sensitive information, manipulate mailbox data, and perform actions as a legitimate user, posing a severe security risk to the organization.
Show query
`o365_management_activity` Workload=Exchange Operation="New-ManagementRoleAssignment" Role=ApplicationImpersonation
| rename User as target_user
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
src vendor_account vendor_product
target_user
| `security_content_ctime(lastTime)`
| `o365_applicationimpersonation_role_assigned_filter`O365 Elevated Mailbox Permission Assigned
The following analytic identifies the assignment of elevated mailbox permissions in an Office 365 environment via the Add-MailboxPermission operation. It leverages logs from the Exchange workload in the o365_management_activity data source, focusing on permissions such as FullAccess, ChangePermission, or ChangeOwner. This activity is significant as it indicates potential unauthorized access or control over mailboxes, which could lead to data exfiltration or privilege escalation. If confirmed malicious, attackers could gain extensive access to sensitive email data and potentially manipulate mailbox settings, posing a severe security risk.
Show query
`o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner)
| rename Identity AS dest_user
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
src vendor_account vendor_product
dest_user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_elevated_mailbox_permission_assigned_filter`O365 Email Hard Delete Excessive Volume
The following analytic identifies when an O365 email account hard deletes an excessive number of emails within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to permanently purge a large amount of items from the mailbox. Threat actors may attempt to remove evidence of their activity by purging items from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors.
Show query
`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions"))
| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2))
| bin _time span=1hr
| stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, latest(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(subject) as count by _time,user
| where count > 50 OR file_size > 10
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_email_hard_delete_excessive_volume_filter`O365 Email Password and Payroll Compromise Behavior
The following analytic identifies when an O365 email recipient receives and then deletes emails for the combination of both password and banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account.
Show query
`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*")
| eval mailtime = _time
| bin _time span=4hr
| eval user = lower(RecipientAddress)
| eval InternetMessageId = lower(MessageId)
| join InternetMessageId, user max=0
[
| search `o365_management_activity` Workload=Exchange Operation IN ("SoftDelete","HardDelete")
| spath path=AffectedItems{} output=AffectedItemSplit
| fields _time,ClientIP,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit
| mvexpand AffectedItemSplit | spath input=AffectedItemSplit
| search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*")
| eval deltime = _time
| bin _time span=4hr
| eval InternetMessageId = lower(InternetMessageId), user = lower(UserId)
]
| stats values(ClientInfoString) as http_user_agent, values(ClientIP) as src, values(Subject) as subject, dc(Subject) as subject_count, values(Operation) as action, values(ResultStatus) as result, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,_time
| search subject IN ("*banking*","*direct deposit*","*pay-to*") AND subject IN ("*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_email_password_and_payroll_compromise_behavior_filter`O365 Email Receive and Hard Delete Takeover Behavior
The following analytic identifies when an O365 email recipient receives and then deletes emails related to password or banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account.
Show query
`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*")
| eval mailtime = _time
| bin _time span=4hr
| eval user = lower(RecipientAddress)
| eval InternetMessageId = lower(MessageId)
| join InternetMessageId, user max=0
[
| search `o365_management_activity` Workload=Exchange Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")
| spath path=AffectedItems{} output=AffectedItemSplit
| fields _time,ClientProcessName,ClientIPAddress,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit,Folder.Path
| mvexpand AffectedItemSplit | spath input=AffectedItemSplit
| search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*")
| eval deltime = _time
| bin _time span=4hr
| eval InternetMessageId = lower(InternetMessageId), user = lower(UserId), subject = Subject
]
| stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_email_receive_and_hard_delete_takeover_behavior_filter`O365 Email Send Attachments Excessive Volume
The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors.
Show query
`o365_messagetrace` Status=Delivered
| eval mailtime = _time
| bin _time span=1hr
| eval user = lower(SenderAddress), recipient = lower(RecipientAddress)
| eval InternetMessageId = lower(MessageId)
| join InternetMessageId, user, _time max=0
[
| search `o365_management_activity` Workload=Exchange Operation IN ("Send","SendAs","SendOnBehalf")
| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; "))), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId')
| bin _time span=1hr
| eval file_name = mvfilter(NOT match(file_name, "\.jpg |\.png |\.jpeg |\.gif "))
| search file_name=*
| stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(file_name) as count by _time,user,InternetMessageId
| where count > 25
| eval file_name = mvjoin(file_name,"||")
]
| eval file_name = split(file_name,"||")
| stats values(sender) as sender, values(recipient) as recipient, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, max(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime max(count) as count by subject,user,Organization,InternetMessageId
| eval recipient = mvmap(recipient, if(match(mvindex(split(lower(recipient),"@"),1),mvindex(split(lower(user),"@"),1)), null(),recipient))
| search recipient = *
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_email_send_attachments_excessive_volume_filter`O365 FullAccessAsApp Permission Assigned
The following analytic detects the assignment of the 'full_access_as_app' permission to an application registration in Office 365 Exchange Online. This detection leverages Office 365 management activity logs and filters Azure Active Directory workload events to identify when the specific permission, identified by GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is granted. This activity is significant because it provides extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. If confirmed malicious, this could lead to unauthorized data access, exfiltration, or account compromise. Immediate investigation is required.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000""{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | fillnull | stats count min(_time) as firstTime max(_time) as lastTime values(Scope) as Scope by signature dest user src vendor_account vendor_product object user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_fullaccessasapp_permission_assigned_filter`O365 High Privilege Role Granted
The following analytic detects when high-privilege roles such as "Exchange Administrator," "SharePoint Administrator," or "Global Administrator" are granted within Office 365. It leverages O365 audit logs to identify events where these roles are assigned to any user or service account. This activity is significant for SOCs as these roles provide extensive permissions, allowing broad access and control over critical resources and data. If confirmed malicious, this could enable attackers to gain significant control over O365 resources, access, modify, or delete critical data, and compromise the overall security and functionality of the O365 environment.
Show query
`o365_management_activity` Operation="Add member to role." Workload=AzureActiveDirectory | eval role_id = mvindex('ModifiedProperties{}.NewValue',2) | eval role_name = mvindex('ModifiedProperties{}.NewValue',1) | where role_id IN ("29232cdf-9323-42fd-ade2-1d097af3e4de", "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "62e90394-69f5-4237-9190-012177145e10") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user src vendor_account vendor_product ObjectId role_name role_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_high_privilege_role_granted_filter`O365 Mailbox Folder Read Permission Assigned
The following analytic identifies instances where read permissions are assigned to mailbox folders within an Office 365 environment. It leverages the `o365_management_activity` data source, specifically monitoring the `ModifyFolderPermissions` and `AddFolderPermissions` operations, while excluding Calendar, Contacts, and PersonMetadata objects. This activity is significant as unauthorized read permissions can lead to data exposure and potential information leakage. If confirmed malicious, an attacker could gain unauthorized access to sensitive emails, leading to data breaches and compromising the confidentiality of organizational communications.
Show query
`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata | eval isReadRole=if(match('Item.ParentFolder.MemberRights',"(ReadAny)"), "true", "false") | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by signature user object dest Item.ParentFolder.MemberUpn Item.ParentFolder.MemberRights src vendor_account vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_assigned_filter`O365 Mailbox Folder Read Permission Granted
The following analytic identifies instances where read permissions are granted to mailbox folders within an Office 365 environment. It detects this activity by monitoring the `o365_management_activity` data source for the `Set-MailboxFolderPermission` and `Add-MailboxFolderPermission` operations. This behavior is significant as it may indicate unauthorized access or changes to mailbox folder permissions, potentially exposing sensitive email content. If confirmed malicious, an attacker could gain unauthorized access to read email communications, leading to data breaches or information leakage.
Show query
`o365_management_activity`
Workload=Exchange
Operation IN ("Set-MailboxFolderPermission", "Add-MailboxFolderPermission")
| eval isReadRole=if(match(AccessRights,"^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$"), "true", "false")
| search isReadRole="true"
| rename UserId as user
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
by signature dest user src vendor_account
vendor_product Identity AccessRights
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_mailbox_folder_read_permission_granted_filter`O365 Mailbox Read Access Granted to Application
The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. This activity is significant because the Mail.Read permission allows applications to access and read all emails within a user's mailbox, which often contain sensitive or confidential information. If confirmed malicious, this could lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.
Show query
`o365_management_activity` Operation="Update application." | eval json_data=mvindex('ModifiedProperties{}.NewValue',0) | eval json_data=replace(json_data,"^\[\s*","") | eval json_data=replace(json_data,"\s*\]$","") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, "810c84a8-4a9e-49e6-bf7d-12d183f40d01") | where isnotnull(match_found) | fillnull | stats count earliest(_time) as firstTime max(_time) as lastTime values(EntitlementIds) as EntitlementIds by signature, user, dest, vendor_account, vendor_product, object, src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter`O365 Multiple AppIDs and UserAgents Authentication Spike
The following analytic identifies unusual authentication activity in an O365 environment, where a single user account experiences more than 8 authentication attempts using 3 or more unique application IDs and over 5 unique user agents within a short timeframe. It leverages O365 audit logs, focusing on authentication events and applying statistical thresholds. This behavior is significant as it may indicate an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation.
Show query
`o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed)
| bucket span=5m _time
| stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) values(signature) as signature
BY _time user src
vendor_account vendor_product dest
| where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2
| `o365_multiple_appids_and_useragents_authentication_spike_filter`O365 New MFA Method Registered
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account within Office 365. It leverages O365 audit logs to identify changes in MFA configurations. This activity is significant as it may indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges or access sensitive data. Immediate verification and remediation are required to secure the affected account.
Show query
`o365_management_activity`
Workload=AzureActiveDirectory
Operation="Update user."
| eval propertyName = mvindex('ModifiedProperties{}.Name', 0)
| search propertyName IN ("StrongAuthenticationMethod", "StrongAuthenticationPhoneAppDetail")
| eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0)
| eval newvalue = mvindex('ModifiedProperties{}.NewValue',0)
| rex field=newvalue max_match=0 "(?i)(?<new_method_type>MethodType|DeviceName)"
| rex field=oldvalue max_match=0 "(?i)(?<old_method_type>MethodType|DeviceName)"
| eval count_new_method_type = coalesce(mvcount(new_method_type), 0)
| eval count_old_method_type = coalesce(mvcount(old_method_type), 0)
| where count_new_method_type > count_old_method_type
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(propertyName) as propertyName
by user newvalue oldvalue vendor_account
vendor_product dest signature src
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_new_mfa_method_registered_filter`
O365 Privileged Graph API Permission Assigned
The following analytic detects the assignment of critical Graph API permissions in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. The detection method leverages Azure Active Directory workload events, specifically 'Update application' operations. This activity is significant as these permissions provide extensive control over Azure AD settings, posing a high risk if misused. If confirmed malicious, this could allow unauthorized modifications, leading to potential data breaches or privilege escalation. Immediate investigation is crucial.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | fillnull | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user src object user_agent signature vendor_account vendor_product dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_graph_api_permission_assigned_filter`O365 Privileged Role Assigned
The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. This detection leverages the O365 Universal Audit Log data source.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2) | fillnull | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, src, user, category, result, object_name, object_id, signature, vendor_account, vendor_product, dest | lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole | search isprvilegedadrole="TRUE" category="User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_role_assigned_filter`O365 Privileged Role Assigned To Service Principal
The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2) | fillnull | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, src, user, category, result, object_name, object_id, signature,vendor_account, vendor_product, dest | lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole | search isprvilegedadrole="TRUE" category!="User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_role_assigned_to_service_principal_filter`O365 Security And Compliance Alert Triggered
The following analytic identifies alerts triggered by the Office 365 Security and Compliance Center, indicating potential threats or policy violations. It leverages data from the `o365_management_activity` dataset, focusing on events where the workload is SecurityComplianceCenter and the operation is AlertTriggered. This activity is significant as it highlights security and compliance issues within the O365 environment, which are crucial for maintaining organizational security. If confirmed malicious, these alerts could indicate attempts to breach security policies, leading to unauthorized access, data exfiltration, or other malicious activities.
Show query
`o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered
| spath input=Data path=f3u output=user
| spath input=Data path=op output=operation
| spath input=_raw path=wl
| spath input=Data path=rid output=rule_id
| spath input=Data path=ad output=alert_description
| spath input=Data path=lon output=operation_name
| spath input=Data path=an output=alert_name
| spath input=Data path=sev output=severity
| fillnull
| stats count earliest(_time) as firstTime latest(_time) as lastTime
BY user, Name, rule_id,
alert_description, alert_name, severity,
dest, src, vendor_account,
vendor_product, signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_security_and_compliance_alert_triggered_filter`O365 Service Principal New Client Credentials
The following analytic detects the addition of new credentials for Service Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events related to credential modifications or additions in the AzureActiveDirectory workload. This activity is significant because Service Principals represent application identities, and their credentials allow applications to authenticate and access resources. If an attacker successfully adds or modifies these credentials, they can impersonate the application, leading to unauthorized data access, data exfiltration, or malicious operations under the application's identity.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application*Certificates and secrets management "
| fillnull
| stats earliest(_time) as firstTime latest(_time) as lastTime
BY user ModifiedProperties{}.NewValue object
ObjectId dest signature
src vendor_account vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_service_principal_new_client_credentials_filter`O365 Service Principal Privilege Escalation
This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment.
Show query
`o365_management_activity` Operation="Add app role assignment to service principal." "Actor{}.ID"=ServicePrincipal ResultStatus=Success | spath path=ModifiedProperties{} output=targetResources | eval src="NA" | stats min(_time) as _time values(eval(mvfilter(match(targetResources, "AppRole.Value")))) as appRole, values(eval(mvfilter(match(targetResources, "ServicePrincipal.DisplayName")))) as targetServicePrincipal values(object) as targetAppContext values(user_agent) as user_agent values(user) as servicePrincipal values(UserId) as servicePrincipalId by Operation InterSystemsId tenant_id user dest src vendor_account vendor_product signature | spath input=appRole path=NewValue output=appRole | spath input=targetServicePrincipal path=NewValue output=targetServicePrincipal | where servicePrincipal=targetServicePrincipal | fillnull | stats earliest(_time) as firstTime latest(_time) as lastTime by servicePrincipal servicePrincipalId appRole targetAppContext user_agent tenant_id InterSystemsId user dest src vendor_account vendor_product signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_privilege_escalation_filter`O365 SharePoint Malware Detection
The following analytic identifies when a malicious file is detected within the SharePoint Online ecosystem. Attackers may stage and execute malicious files from within the Microsoft Office 365 ecosystem. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities further enhance these detection and response functions.
Show query
`o365_management_activity` Operation=FileMalwareDetected
| rename UserId as user, Id as signature_id
| stats values(Workload) as category, values(SourceFileName) as file_name values(ObjectId) as file_path, values(VirusInfo) as signature, count, min(_time) as firstTime, max(_time) as lastTime
BY signature_id, user, dest,
src, vendor_account, vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_sharepoint_malware_detection_filter`O365 Tenant Wide Admin Consent Granted
The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to organizational data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.
Show query
`o365_management_activity` Operation="Consent to application." | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field "ConsentType: (?<ConsentType>[^\,]+)" | rex field=new_field "Scope: (?<Scope>[^\,]+)" | search ConsentType = "AllPrincipals" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user, object, ObjectId, ConsentType, Scope, dest, vendor_account, vendor_product, signature, src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter`O365 Threat Intelligence Suspicious File Detected
The following analytic identifies when a malicious file is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine. Attackers may stage and execute malicious files from within the Microsoft Office 365 ecosystem. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities such as Safe Attachment and Safe Links further enhance these detection and response functions.
Show query
`o365_management_activity` Workload=ThreatIntelligence Operation=AtpDetection
| eval dest="NA"
| eval src="NA"
| stats values(DetectionMethod) as category values(FileData.FileName) as file_name values(FileData.FilePath) as file_path values(FileData.FileSize) as file_size values(FileData.MalwareFamily) as signature count, min(_time) as firstTime, max(_time) as lastTime
BY Id, UserId, dest,
src, vendor_account, vendor_product
| rename Id as signature_id, UserId as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_threat_intelligence_suspicious_file_detected_filter`Okta Authentication Failed During MFA Challenge
The following analytic identifies failed authentication attempts during the Multi-Factor Authentication (MFA) challenge in an Okta tenant. It uses the Authentication datamodel to detect specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This activity is significant as it may indicate an adversary attempting to authenticate with compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing attempt to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method FROM datamodel=Authentication
WHERE Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure
BY _time Authentication.src Authentication.user
Authentication.dest Authentication.action
| `drop_dm_object_name("Authentication")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| iplocation src
| `okta_authentication_failed_during_mfa_challenge_filter`Okta IDP Lifecycle Modifications
The following analytic identifies modifications to Okta Identity Provider (IDP) lifecycle events, including creation, activation, deactivation, and deletion of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms. Unauthorized or anomalous changes could indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could manipulate authentication processes, potentially gaining unauthorized access or disrupting identity management systems.
Show query
`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate")
| stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified
BY src dest src_user_id
user user_agent command
description
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_idp_lifecycle_modifications_filter`Showing 601-650 of 991