Microsoft-365-Defender-Hunting-Queries
Microsoft-365-Defender-Hunting-Queries copied to clipboard
microsoft
Sample queries for Advanced hunting in Microsoft 365 Defender
Log from Power BI Desktop x64, Version: 2.99.782.0 64-bit (November 2021): ``` AadUsers OLE DB or ODBC error: Exception from HRESULT: 0x80040E4E. Alerts Load was cancelled by an error in...
Add first detection of the exefile shell open key to the repo. See also https://twitter.com/swisscom_csirt/status/1461686311769759745 for a short description. It is currently used by Lokibot for persistence. Sneaky! Once in...
I would like to bring to your attention that the [Process injection by Qakbot malware](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Defense%20evasion/qakbot-campaign-process-injection.md) is misleading since the query is actually for the cookie and browsing history theft of...
Corrected the query to the one corresponding to the process injection, previous published one was for cookie and browsing history theft.
M365D Advanced Hunting - Attack Surface Reduction Rules Device Events
It should be ProcessCommandLine instead of InitiatingProcessCommandLine for recon processes spawned by injected parent processes DeviceProcessEvents | where InitiatingProcessFileName in~('mobsync.exe','explorer.exe') | where (FileName =~ 'net.exe' and ProcessCommandLine has_all('view','/all')) or (FileName...
