gitextract_10u3qxy0/ ├── .gitignore ├── 00-query-submission-template.md ├── CODE_OF_CONDUCT.md ├── Campaigns/ │ ├── APT Baby Shark.txt │ ├── APT29 thinktanks.txt │ ├── Abuse.ch Recent Threat Feed.md │ ├── Abusing settingcontent-ms.txt │ ├── Bazacall/ │ │ ├── Bazacall Emails.md │ │ ├── Cobalt Strike Lateral Movement.md │ │ ├── Dropping payload via certutil.md │ │ ├── Excel Macro Execution.md │ │ ├── Excel file download domain pattern.md │ │ ├── Malicious Excel Delivery.md │ │ ├── NTDS theft.md │ │ ├── Renamed Rclone Exfil.md │ │ └── RunDLL Suspicious Network Connection.md │ ├── Bazarloader/ │ │ ├── Stolen Images Execution.md │ │ ├── Zip-Doc - Creation of JPG Payload File.md │ │ └── Zip-Doc - Word Launching MSHTA.md │ ├── Bear Activity GTR 2019.txt │ ├── Cloud Hopper.txt │ ├── DofoilNameCoinServerTraffic.txt │ ├── Dopplepaymer In-Memory Malware Implant.txt │ ├── Dragon Fly.txt │ ├── Elise backdoor.txt │ ├── Equation Group C2 Communication.txt │ ├── Hurricane Panda activity.txt │ ├── Judgement Panda exfil activity.txt │ ├── Jupyter-Solarmaker/ │ │ ├── deimos-component-execution.md │ │ ├── evasive-powershell-executions.md │ │ ├── evasive-powershell-strings.md │ │ └── successive-tk-domain-calls.md │ ├── LemonDuck/ │ │ ├── LemonDuck-competition-killer.md │ │ ├── LemonDuck-component-download-structure.md │ │ ├── LemonDuck-component-names.md │ │ ├── LemonDuck-control-structure.md │ │ ├── LemonDuck-defender-exclusions.md │ │ ├── LemonDuck-email-subjects.md │ │ ├── LemonDuck-id-generation.md │ │ └── LemonDuck-registration-function.md │ ├── Log4J/ │ │ ├── Alerts related to Log4j vulnerability.md │ │ ├── Devices with Log4j vulnerability alerts and additional other alert related context.md │ │ ├── Suspicious JScript staging comment.md │ │ ├── Suspicious PowerShell curl flags.md │ │ └── Suspicious process event creation from VMWare Horizon TomcatService.md │ ├── MacOceanLotusBackdoor.txt │ ├── MacOceanLotusDropper.txt │ ├── Macaw Ransomware/ │ │ ├── Disable Controlled Folders.md │ │ ├── Imminent Ransomware.md │ │ ├── Inhibit recovery by disabling tools and functionality.md │ │ ├── Mass account password change.md │ │ ├── PSExec Attrib commands.md │ │ └── Use of MSBuild as LOLBin.md │ ├── OceanLotus registry activity.txt │ ├── Qakbot/ │ │ ├── Excel launching anomalous processes.md │ │ ├── General attempts to access local email store.md │ │ ├── Qakbot Craigslist Domains.md │ │ ├── Qakbot email theft.md │ │ └── Qakbot reconnaissance activities.md │ ├── Ransomware hits healthcare - Alternate Data Streams use.txt │ ├── Ransomware hits healthcare - Backup deletion.txt │ ├── Ransomware hits healthcare - Cipher.exe tool deleting data.txt │ ├── Ransomware hits healthcare - Clearing of system logs.txt │ ├── Ransomware hits healthcare - Possible compromised accounts.txt │ ├── Ransomware hits healthcare - Robbinhood activity.txt │ ├── Ransomware hits healthcare - Turning off System Restore.txt │ ├── Ransomware hits healthcare - Vulnerable Gigabyte drivers.txt │ ├── StrRAT malware/ │ │ ├── StrRAT-AV-Discovery.md │ │ ├── StrRAT-Email-Delivery.md │ │ └── StrRAT-Malware-Persistence.md │ ├── Sysrv-botnet/ │ │ ├── app-armor-stopped.md │ │ ├── java-executing-cmd-to-run-powershell.md │ │ ├── kinsing-miner-download.md │ │ ├── oracle-webLogic-executing-powershell.md │ │ ├── rce-on-vulnerable-server.md │ │ └── tomcat-8-executing-powershell.md │ ├── Threat actor Phosphorus masquerading as conference organizers.md │ ├── WastedLocker Downloader.md │ ├── ZLoader/ │ │ ├── Malicious bat file.md │ │ ├── Payload Delivery.md │ │ └── Suspicious Registry Keys.md │ ├── apt sofacy zebrocy.txt │ ├── apt sofacy.txt │ ├── apt ta17 293a ps.txt │ ├── apt tropictrooper.txt │ ├── apt unidentified nov 18.txt │ ├── c2-lookup-from-nonbrowser[Nobelium].md │ ├── c2-lookup-response[Nobelium].md │ ├── cobalt-strike-invoked-w-wmi.md │ ├── compromised-certificate[Nobelium].md │ ├── confluence-weblogic-targeted.md │ ├── cypherpunk-exclusive-commands.md │ ├── cypherpunk-remote-exec-w-psexesvc.md │ ├── detect-cyzfc-activity.md │ ├── fireeye-red-team-tools-CVEs [Nobelium].md │ ├── fireeye-red-team-tools-HASHs [Nobelium].md │ ├── known-affected-software-orion[Nobelium].md │ ├── launching-base64-powershell[Nobelium].md │ ├── launching-cmd-echo[Nobelium].md │ ├── locate-dll-created-locally[Nobelium].md │ ├── locate-dll-loaded-in-memory[Nobelium].md │ ├── oceanlotus-apt32-files.md │ ├── oceanlotus-apt32-network.md │ ├── possible-affected-software-orion[Nobelium].md │ ├── robbinhood-driver.md │ ├── robbinhood-evasion.md │ ├── snip3-aviation-targeting-emails.md │ ├── snip3-detectsanboxie-function-call.md │ ├── snip3-encoded-powershell-structure.md │ ├── snip3-malicious-network-connectivity.md │ └── snip3-revengerat-c2-exfiltration.md ├── Collection/ │ ├── Anomaly of MailItemAccess by Other Users Mailbox [Nobelium].md │ ├── HostExportingMailboxAndRemovingExport[Solarigate].md │ └── MailItemsAccessedTimeSeries[Solarigate].md ├── Command and Control/ │ ├── C2-NamedPipe.md │ ├── Connection to Rare DNS Hosts.md │ ├── DNSPattern [Nobelium].md │ ├── Device network events w low count FQDN.txt │ ├── EncodedDomainURL [Nobelium].md │ ├── Tor.txt │ ├── c2-bluekeep.md │ ├── check-for-shadowhammer-activity-download-domain.md │ ├── python-use-by-ransomware-macos.md │ ├── recon-with-rundll.md │ └── reverse-shell-ransomware-macos.md ├── Credential Access/ │ ├── Active Directory Sensitive Group Modifications.md │ ├── Private Key Files.txt │ ├── cobalt-strike.md │ ├── doppelpaymer-procdump.md │ ├── identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike.md │ ├── lazagne.md │ ├── logon-attempts-after-malicious-email.md │ ├── procdump-lsass-credentials.md │ ├── wadhrama-credential-dump.md │ └── wdigest-caching.md ├── Defense evasion/ │ ├── ADFSDomainTrustMods[Nobelium].md │ ├── Discovering potentially tampered devices [Nobelium].md │ ├── MailPermissionsAddedToApplication[Nobelium].md │ ├── PotentialMicrosoftDefenderTampering[Solarigate].md │ ├── UpdateStsRefreshToken[Solorigate].md │ ├── alt-data-streams.md │ ├── clear-system-logs.md │ ├── deleting-data-w-cipher-tool.md │ ├── doppelpaymer-stop-services.md │ ├── hiding-java-class-file.md │ ├── locate-files-possibly-signed-by-fraudulent-ecc-certificates.md │ ├── qakbot-campaign-process-injection.md │ └── qakbot-campaign-self-deletion.md ├── Delivery/ │ ├── Doc attachment with link to download.txt │ ├── Dropbox downloads linked from other site.txt │ ├── Email link + download + SmartScreen warning.txt │ ├── Gootkit-malware.md │ ├── Open email link.txt │ ├── Pivot from detections to related downloads.txt │ ├── Qakbot Craigslist Domains.md │ ├── detect-jscript-file-creation.md │ └── powercat-download.md ├── Discovery/ │ ├── Detect-Not-Active-AD-User-Accounts.md │ ├── DetectTorRelayConnectivity.md │ ├── DetectTorrentUse.txt │ ├── Discover hosts doing possible network scans.txt │ ├── Enumeration of users & groups for lateral movement.txt │ ├── MultipleLdaps.md │ ├── MultipleSensitiveLdaps.md │ ├── PasswordSearch.md │ ├── PrevalentInteractiveLogons │ ├── Roasting.md │ ├── SMB shares discovery.txt │ ├── SensitiveLdaps.md │ ├── SuspiciousEnumerationUsingAdfind[Nobelium].md │ ├── URL Detection.txt │ ├── VulnComputers.md │ ├── detect-nbtscan-activity.md │ ├── detect-suspicious-commands-initiated-by-web-server-processes.md │ ├── doppelpaymer.md │ ├── qakbot-campaign-esentutl.md │ └── qakbot-campaign-outlook.md ├── Email Queries/ │ ├── Appspot Phishing Abuse.md │ ├── JNLP-File-Attachment.md │ ├── PhishingEmailUrlRedirector.md │ └── referral-phish-emails.md ├── Execution/ │ ├── Base64 Detector and Decoder.md │ ├── Base64encodePEFile.txt │ ├── Detect Encoded Powershell.md │ ├── Detect PowerShell v2 Downgrade.md │ ├── ExecuteBase64DecodedPayload.txt │ ├── File Copy and Execution.md │ ├── Malware_In_recyclebin.txt │ ├── Masquerading system executable.txt │ ├── Possible Ransomware Related Destruction Activity.md │ ├── PowerShell downloads.txt │ ├── PowershellCommand - uncommon commands on machine.txt │ ├── PowershellCommand footprint.txt │ ├── Webserver Executing Suspicious Applications.md │ ├── check-for-shadowhammer-activity-implant.md │ ├── detect-anomalous-process-trees.md │ ├── detect-bluekeep-related-mining.md │ ├── detect-doublepulsar-execution.md │ ├── detect-exploitation-of-cve-2018-8653.md │ ├── detect-malcious-use-of-msiexec.md │ ├── detect-malicious-rar-extraction.md │ ├── detect-office-products-spawning-wmic.md │ ├── detect-suspicious-mshta-usage.md │ ├── detect-web-server-exploit-doublepulsar.md │ ├── exchange-iis-worker-dropping-webshell.md │ ├── jse-launched-by-word.md │ ├── launch-questd-w-osascript.md │ ├── locate-shlayer-payload-decryption-activity.md │ ├── locate-shlayer-payload-decrytion-activity.md │ ├── locate-surfbuyer-downloader-decoding-activity.md │ ├── office-apps-launching-wscipt.md │ ├── powershell-activity-after-email-from-malicious-sender.md │ ├── powershell-version-2.0-execution.md │ ├── python-based-attacks-on-macos.md │ ├── qakbot-campaign-suspicious-javascript.md │ ├── reverse-shell-nishang-base64.md │ ├── reverse-shell-nishang.md │ ├── sql-server-abuse.md │ ├── umworkerprocess-creating-webshell.md │ └── umworkerprocess-unusual-subprocess-activity.md ├── Exfiltration/ │ ├── 7-zip-prep-for-exfiltration.md │ ├── Anomaly of MailItemAccess by GraphAPI [Nobelium].md │ ├── Data copied to other location than C drive.txt │ ├── Files copied to USB drives.md │ ├── MailItemsAccessed Throttling [Nobelium].md │ ├── Map external devices.txt │ ├── OAuth Apps accessing user mail via GraphAPI [Nobelium].md │ ├── OAuth Apps reading mail both via GraphAPI and directly [Nobelium].md │ ├── OAuth Apps reading mail via GraphAPI anomaly [Nobelium].md │ ├── Password Protected Archive Creation.md │ ├── Possible File Copy to USB Drive.md │ ├── detect-archive-exfiltration-to-competitor.md │ ├── detect-exfiltration-after-termination.md │ ├── detect-steganography-exfiltration.md │ └── exchange-powershell-snapin-loaded.md ├── Exploits/ │ ├── AcroRd-Exploits.txt │ ├── CVE-2021-36934 usage detection.md │ ├── Electron-CVE-2018-1000006.txt │ ├── Flash-CVE-2018-4848.txt │ ├── Linux-DynoRoot-CVE-2018-1111.txt │ ├── MosaicLoader.md │ ├── Print Spooler RCE/ │ │ ├── Spoolsv Spawning Rundll32.md │ │ ├── Suspicious DLLs in spool folder.md │ │ ├── Suspicious Spoolsv Child Process.md │ │ └── Suspicious files in spool folder.md │ ├── SolarWinds -CVE-2021-35211.md │ ├── printnightmare-cve-2021-1675 usage detection.md │ ├── winrar-cve-2018-20250-ace-files.md │ └── winrar-cve-2018-20250-file-creation.md ├── Fun/ │ ├── EmojiHunt.txt │ ├── HiddenMessage.txt │ └── Make FolderPath Vogon Poetry.md ├── General queries/ │ ├── Alert Events from Internal IP Address.txt │ ├── AppLocker Policy Design Assistant.md │ ├── Baseline Comparison.txt │ ├── Crashing Applications.md │ ├── Detect Azure RemoteIP.md │ ├── Device Count by DNS Suffix.md │ ├── Device uptime calculation.md │ ├── Endpoint Agent Health Status Report.md │ ├── Events surrounding alert.txt │ ├── Failed Logon Attempt.txt │ ├── File footprint.txt │ ├── Firewall Policy Design Assistant.md │ ├── MD AV Signature and Platform Version.md │ ├── MITRE - Suspicious Events.txt │ ├── Machine info from IP address.txt │ ├── Network footprint.txt │ ├── Network info of machine.txt │ ├── Phish and Malware received by user vs total amount of email.md │ ├── Services.txt │ ├── System Guard Security Level Baseline.txt │ ├── System Guard Security Level Drop.txt │ ├── insider-threat-detection-queries.md │ └── wifikeys.txt ├── Impact/ │ ├── backup-deletion.md │ ├── ransom-note-creation-macos.md │ ├── turn-off-system-restore.md │ └── wadhrama-data-destruction.md ├── Initial access/ │ ├── Check for Maalware Baazar (abuse.ch) hashes in your mail flow.md │ ├── Non_intended_user_logon.md │ ├── PhishingEmailUrlRedirector.md │ ├── SuspiciousUrlClicked.md │ ├── WhenZAPed.md │ ├── detect-bluekeep-exploitation-attempts.md │ ├── detect-mailsniper.md │ ├── files-from-malicious-sender.md │ ├── identify-potential-missed-phishing-email-campaigns.md │ └── jar-attachments.md ├── LICENSE ├── Lateral Movement/ │ ├── Account brute force.txt │ ├── Device Logons from Unknown IPs.txt │ ├── ImpersonatedUserFootprint.md │ ├── Network Logons with Local Accounts.md │ ├── Non-local logons with -500 account.txt │ ├── ServiceAccountsPerformingRemotePS.txt │ ├── detect-suspicious-rdp-connections.md │ ├── doppelpaymer-psexec.md │ └── remote-file-creation-with-psexec.md ├── M365-PowerBi Dashboard/ │ ├── Microsoft Threat Protection - API Dashboard.pbit │ └── readme.txt ├── Network/ │ └── Defender for Endpoint Telemetry.txt ├── Notebooks/ │ ├── M365D APIs ep3.ipynb │ ├── WDATP APIs Demo Notebook.ipynb │ └── mtp_hunting.ipynb ├── Persistence/ │ ├── Accessibility Features.txt │ ├── AddedCredentialFromContryXAndSigninFromCountryY.md │ ├── Create account.txt │ ├── CredentialsAddAfterAdminConsentedToApp[Nobelium].md │ ├── LocalAdminGroupChanges.txt │ ├── NewAppOrServicePrincipalCredential[Nobelium].md │ ├── Possible webshell drop.md │ ├── detect-prifou-pua.md │ ├── localAdminAccountLogon.txt │ ├── qakbot-campaign-registry-edit.md │ ├── scheduled task creation.txt │ └── wadhrama-ransomware.md ├── Privilege escalation/ │ ├── Add uncommon credential type to application [Nobelium].md │ ├── SAM-Name-Changes-CVE-2021-42278.md │ ├── ServicePrincipalAddedToRole [Nobelium].md │ ├── cve-2019-0808-c2.md │ ├── cve-2019-0808-nufsys-file creation.md │ ├── cve-2019-0808-set-scheduled-task.md │ ├── dell-driver-vulnerability-2021.md │ ├── detect-cve-2019-0863-AngryPolarBearBug2-exploit.md │ ├── detect-cve-2019-0973-installerbypass-exploit.md │ ├── detect-cve-2019-1053-sandboxescape-exploit.md │ ├── detect-cve-2019-1069-bearlpe-exploit.md │ ├── detect-cve-2019-1129-byebear-exploit.md │ └── locate-ALPC-local-privilege-elevation-exploit.md ├── Protection events/ │ ├── AV Detections with Source.txt │ ├── AV Detections with USB Disk Drive.txt │ ├── Antivirus detections.txt │ ├── ExploitGuardASRStats.txt │ ├── ExploitGuardAsrDescriptions.txt │ ├── ExploitGuardBlockOfficeChildProcess.txt │ ├── ExploitGuardControlledFolderAccess.txt │ ├── ExploitGuardNetworkProtectionEvents.txt │ ├── ExploitGuardStats.txt │ ├── PUA ThreatName per Computer.txt │ ├── README.md │ ├── SmartScreen URL block ignored by user.txt │ ├── SmartScreen app block ignored by user.txt │ ├── Windows filtering events (Firewall).txt │ └── WindowsDefenderAVEvents.txt ├── README.md ├── Ransomware/ │ ├── Backup deletion.md │ ├── Check for multiple signs of ransomware activity.md │ ├── Clearing of forensic evidence from event logs using wevtutil.md │ ├── DarkSide.md │ ├── Deletion of data on multiple drives using cipher exe.md │ ├── Discovery for highly-privileged accounts.md │ ├── Distribution from remote location.md │ ├── Fake Replies.md │ ├── File Backup Deletion Alerts.md │ ├── Gootkit File Delivery.md │ ├── HTA Startup Persistence.md │ ├── IcedId Delivery.md │ ├── IcedId attachments.md │ ├── IcedId email delivery.md │ ├── LaZagne Credential Theft.md │ ├── Potential ransomware activity related to Cobalt Strike.md │ ├── Qakbot discovery activies.md │ ├── Sticky Keys.md │ ├── Stopping multiple processes using taskkill.md │ ├── Stopping processes using net stop.md │ ├── Suspicious Bitlocker Encryption.md │ ├── Suspicious Google Doc Links.md │ ├── Suspicious Image Load related to IcedId.md │ ├── Turning off System Restore.md │ └── Turning off services using sc exe.md ├── SECURITY.md ├── TVM/ │ └── devices_with_vuln_and_users_received_payload.md ├── Troubleshooting/ │ ├── Connectivity Failures by Device.md │ └── Connectivity Failures by Domain.md └── Webcasts/ ├── Airlift 2021 - Lets Invoke.csl ├── Ignite 2020 - Best practices for hunting across domains with Microsoft 365 Defender.txt ├── README.md ├── TrackingTheAdversary/ │ ├── Episode 1 - KQL Fundamentals.txt │ ├── Episode 2 - Joins.txt │ ├── Episode 3 - Summarizing, Pivoting, and Joining.txt │ ├── Episode 4 - Lets Hunt.txt │ └── README.md └── l33tSpeak/ ├── MCAS - The Hunt.txt ├── Performance, Json and dynamics operator, external data.txt └── l33tspeak 11 Oct 2021 - externaldata and query partitioning.csl