DIR: ~/detections
Detections_
Detection queries for SIEM and SOAR platforms. SPL, KQL, EQL and more.
Filter
Platform: any selected. Tags: type below — space-separated words, each must match part of a tag
Platform
Potential EtherHiding Activity via Blockchain Explorer Connections
Defender XDRDetects suspicious network connections to blockchain explorer APIs that may indicate UNC5342’s use of new EtherHiding techniques for retrieving malicious payloads.
ScatteredSpider Domain Phishing Campaigns via Network, Email, and Teams Interactions
Defender XDRDetects suspicious logins or actions triggered by phishing links to ScatteredSpider (SS) domains (e.g., ServiceDesk, Okta) across network connections, email delivery, SafeLinks cli…
Privilege Escalation via Role Assignments Outside Business Hours
Microsoft SentinelDetects unauthorized privilege escalation attempts—adding admin/management roles to users outside standard business hours, potentially indicating malicious activity.
Cryptominer Activity via PowerShell Script Execution and PrintUI Abuse
Defender XDRDetects cryptomining activity using PowerShell scripts with hardcoded IDs (e.g., `x123456.vbs`) or exploiting print management utilities like `printui.exe` in Windows System32.
New External Teams Chat Recipient Detection
Microsoft SentinelDetects newly added external recipients in Microsoft Teams chat threads who were not previously engaged with internal senders.
High Volume Screenshot Activity Detection
Defender XDRDetects unusual screenshot activity on a device, potentially indicating malicious behavior or excessive legitimate use.
Network Connections to Known Dynamic DNS Subdomains
Defender XDRDetects suspicious network connections to dynamic DNS (DDNS) subdomains often used for lateral movement or evasion.
Rapid Bulk SharePoint File Downloads from Unregistered Devices
Microsoft SentinelDetects suspicious rapid bulk downloads of SharePoint files following sign-ins from unregistered devices.
Suspicious Ollama API Connections and AI Command Execution
Defender XDRDetects suspicious activity related to PromptLock ransomware, which abuses the Ollama AI API for command execution and lateral movement.
Potential Data Exfiltration via Ping.exe with Large Payloads
Defender XDRDetects suspicious `ping.exe` executions with `/l` or `-l` flags and large payload sizes, indicating potential data exfiltration attempts.
Suspicious Drive-by Shell Execution via Browser Process
Defender XDRDetects malicious command shell execution (cmd.exe or PowerShell) spawned by common browser processes, followed by suspicious network activity.
Unusual User Activity from New Geographic Locations
Microsoft SentinelDetects anomalous sign-in activity originating from geographic locations not previously observed for a user within a 14-day baseline period.