Clicking on the name of the query will bring you to the file for it in this git repo.
Or try them out right away in your M365 Security tenant:
Click on the '🔎' hotlink to plug the query right into your Advanced Hunting Query page
Severity: Low
Category: Malware
MITRE techniques: N/A
Description: A file was detected with two extensions at the end of the file name, with the final extension being an executable file type. This could indicate an attempt to trick a user into thinking an executable file is some type of document or media.
Recommended actions: Investigate the file with the double extension and determine if it is malicious or not. Quarantine the file if you determine it is malware.
Severity: Medium
Category: Credential Access
MITRE techniques: T1558
Description: Almost all Kerberos traffic should be coming from lsass.exe, so other Windows processes reaching out to port 88 may indicate the presence post-exploitation tooling such as Rubeus.
Recommended actions: Investigate the process generating Kerberos traffic. If the activity is deemed to be malicious, take immediate containment actions and look for lateral movement to and from the affected entities.
Severity: Low
Category: Privilege escalation
MITRE techniques: T1068
Description: A vulnerable driver was discovered that is known to be exploited by malicious actors for privilege escalation.
Recommended actions: Investigate the origin of the driver and determine if it was created by a malicious process. If the driver is legitimate, determine whether the driver can be updated to a non-vulnerable version.
Severity: High
Category: Ransomware
MITRE techniques: N/A
Description: A non-browser executable was identified making a network connection to mega.io or mega.co.nz. This could indicate potential ransomware/extortion activity.
Recommended actions: Immediate investigation of the activity is advised. Isolate the host and restrict app execution if ransomware is suspected.
Severity: Low
Category: Initial Access
MITRE techniques: T1566.001, T1193
Description: A .one OneNote document was found in a non-standard folder which may indicate the use of a macro-enabled .one attachments as a phishing attachment.
Recommended actions: Download and analyze the .one file and determine how it was created on the device. Look for suspicious activity coming from the OneNote process if the .one document was opened.
Severity: Low
Category: Initial Access
MITRE techniques: T1566.001, T1193
Description: An AAD/Entra Identity Protection alert was triggered for a user that may have recieved an email with a QR code.
Recommended actions: Download and investigate the potential QR code image, and investigate the Identity Protection alert. Reach out to the affected user for details if needed.
Severity: Medium
Category: Ransomware
MITRE techniques: N/A
Description: The cloud sync program Rclone was seen making network connections on a host. This could indicate potential ransomware/extortion activity. This alert may generate false positives for legitimate use of Rclone.
Recommended actions: Immediate investigation of the activity is advised. Isolate the host and restrict app execution if ransomware is suspected.
Severity: High
Category: Ransomware
MITRE techniques: N/A
Description: A renamed version of the Rclone executable was found making network connections on a host. Since it's been renamed, it's likely to be ransomware/extortion activity.
Recommended actions: Immediate investigation of the activity is advised. Isolate the host and restrict app execution if ransomware is suspected.
Severity: Medium
Category: Privilege escalation
MITRE techniques: T1078.002
Description: A highly privileged group was modified. This could indicate an attacker elevating an account they control to gain privileged access.
Recommended actions: Determine whether the group modification was expected, legitimate activity. If its legitimacy can't be confirmed, lock the account(s) involved in the privilege escalation.
Severity: High
Category: Discovery
MITRE techniques: T1033, T1069, T1069.001, T1069.002, T1082, T1087, T1087.001, T1087.002, T1482, T1615
Description: Files were discovered that had names consistent with SharpHound output. The files likely contain information that can help an adversary determine privilege escalation paths within your Active Directory domain.
Recommended actions: Investigate the process that created these files and respond appropriately to any discovered threats.
Severity: Medium
Category: Persistence
MITRE techniques: T1078, T1133, T1543, T1543.003
Description: Power Automate was silently registered with an MDM provider. This could indicate abuse of legitimate tools to obtain both persistence and command & control.
Recommended actions: Investigate the tenant that Power Automate was registered with and determine if this was expected activity or not.
Severity: Low
Category: Command and control
MITRE techniques: T1219
Description: Legitimate IT remote control software was observed on a computer for the first time. This could be legitimate activity such as vendor support, or it could be a threat actor trying to blend in.
Recommended actions: Investigate the origin of the RMM software, and reach out to the end user to gather more information. Update the detection rule if the use case is legitimate and will be reoccurring to reduce false positives.
Severity: High
Category: Malware
MITRE techniques: N/A
Description: An endpoint has contacted a URL that has been reported as malicious to UrlHaus.
Recommended actions: Investigate the cause of the activity and look for related events.
Severity: High
Category: Malware
MITRE techniques: N/A
Description: An XLL file was discovered followed by a network connection by the Excel.Application COM object. This may indicate that the XLL file was a dropper malware.
Recommended actions: Investigate the XLL file and URL of the network connection. Quarantine the device if malicious activity is suspected.