DIR: ~/detections

Detections_

Detection queries for SIEM and SOAR platforms. SPL, KQL, EQL and more.

Filter

Platform: any selected. Tags: type below — space-separated words, each must match part of a tag

Platform

Potential EtherHiding Activity via Blockchain Explorer Connections

Defender XDR

Detects suspicious network connections to blockchain explorer APIs that may indicate UNC5342’s use of new EtherHiding techniques for retrieving malicious payloads.

blockchainmalware-downloadlateral-movement

ScatteredSpider Domain Phishing Campaigns via Network, Email, and Teams Interactions

Defender XDR

Detects suspicious logins or actions triggered by phishing links to ScatteredSpider (SS) domains (e.g., ServiceDesk, Okta) across network connections, email delivery, SafeLinks cli…

phishingauthentication-abuselateral-movement-risk

Privilege Escalation via Role Assignments Outside Business Hours

Microsoft Sentinel

Detects unauthorized privilege escalation attempts—adding admin/management roles to users outside standard business hours, potentially indicating malicious activity.

privilege-escalationrole-assignmentout-of-hours

Cryptominer Activity via PowerShell Script Execution and PrintUI Abuse

Defender XDR

Detects cryptomining activity using PowerShell scripts with hardcoded IDs (e.g., `x123456.vbs`) or exploiting print management utilities like `printui.exe` in Windows System32.

malwarecryptominingpowershell

New External Teams Chat Recipient Detection

Microsoft Sentinel

Detects newly added external recipients in Microsoft Teams chat threads who were not previously engaged with internal senders.

teamsexternal-recipientslateral-movement

High Volume Screenshot Activity Detection

Defender XDR

Detects unusual screenshot activity on a device, potentially indicating malicious behavior or excessive legitimate use.

file-injectionscreen-capturehigh-volume-data

Network Connections to Known Dynamic DNS Subdomains

Defender XDR

Detects suspicious network connections to dynamic DNS (DDNS) subdomains often used for lateral movement or evasion.

dnsdynamic-dnslateral-movement

Rapid Bulk SharePoint File Downloads from Unregistered Devices

Microsoft Sentinel

Detects suspicious rapid bulk downloads of SharePoint files following sign-ins from unregistered devices.

sharepointfile-downloadunregistered-device

Suspicious Ollama API Connections and AI Command Execution

Defender XDR

Detects suspicious activity related to PromptLock ransomware, which abuses the Ollama AI API for command execution and lateral movement.

ransomwarelateral-movementai-tooling

Potential Data Exfiltration via Ping.exe with Large Payloads

Defender XDR

Detects suspicious `ping.exe` executions with `/l` or `-l` flags and large payload sizes, indicating potential data exfiltration attempts.

data-exfiltrationprocess-injectionnetwork-exploitation

Suspicious Drive-by Shell Execution via Browser Process

Defender XDR

Detects malicious command shell execution (cmd.exe or PowerShell) spawned by common browser processes, followed by suspicious network activity.

drive-by-downloadbrowser-exploitationcommand-shell

Unusual User Activity from New Geographic Locations

Microsoft Sentinel

Detects anomalous sign-in activity originating from geographic locations not previously observed for a user within a 14-day baseline period.

geographic-anomalylateral-movementip-anomaly