Clicking on the name of the query will bring you to the file for it in this git repo.
Or try them out right away in your M365 Security tenant:
Click on the '🔎' hotlink to plug the query right into your Advanced Hunting Query page
Severity: Low
Category: Malware
MITRE techniques: N/A
Description: A file was detected with two extensions at the end of the file name, with the final extension being an executable file type. This could indicate an attempt to trick a user into thinking an executable file is some type of document or media.
Recommended actions: Investigate the file with the double extension and determine if it is malicious or not. Quarantine the file if you determine it is malware.
Severity: High
Category: Ransomware
MITRE techniques: N/A
Description: A non-browser executable was identified making a network connection to mega.io or mega.co.nz. This could indicate potential ransomware/extortion activity.
Recommended actions: Immediate investigation of the activity is advised. Isolate the host and restrict app execution if ransomware is suspected.
Severity: Medium
Category: Ransomware
MITRE techniques: N/A
Description: The cloud sync program Rclone was seen making network connections on a host. This could indicate potential ransomware/extortion activity. This alert may generate false positives for legitimate use of Rclone.
Recommended actions: Immediate investigation of the activity is advised. Isolate the host and restrict app execution if ransomware is suspected.
Severity: High
Category: Ransomware
MITRE techniques: N/A
Description: A renamed version of the Rclone executable was found making network connections on a host. Since it's been renamed, it's likely to be ransomware/extortion activity.
Recommended actions: Immediate investigation of the activity is advised. Isolate the host and restrict app execution if ransomware is suspected.
Severity: Medium
Category: Privilege escalation
MITRE techniques: T1078.002
Description: A highly privileged group was modified. This could indicate an attacker elevating an account they control to gain privileged access.
Recommended actions: Determine whether the group modification was expected, legitimate activity. If its legitimacy can't be confirmed, lock the account(s) involved in the privilege escalation.
Severity: High
Category: Discovery
MITRE techniques: T1033, T1069, T1069.001, T1069.002, T1082, T1087, T1087.001, T1087.002, T1482, T1615
Description: Files were discovered that had names consistent with SharpHound output. The files likely contain information that can help an adversary determine privilege escalation paths within your Active Directory domain.
Recommended actions: Investigate the process that created these files and respond appropriately to any discovered threats.
Severity: Medium
Category: Persistence
MITRE techniques: T1078, T1133, T1543, T1543.003
Description: Power Automate was silently registered with an MDM provider. This could indicate abuse of legitimate tools to obtain both persistence and command & control.
Recommended actions: Investigate the tenant that Power Automate was registered with and determine if this was expected activity or not.
Severity: High
Category: Malware
MITRE techniques: N/A
Description: An endpoint has contacted a URL that has been reported as malicious to UrlHaus.
Recommended actions: Investigate the cause of the activity and look for related events.
Severity: High
Category: Malware
MITRE techniques: N/A
Description: An XLL file was discovered followed by a network connection by the Excel.Application COM object. This may indicate that the XLL file was a dropper malware.
Recommended actions: Investigate the XLL file and URL of the network connection. Quarantine the device if malicious activity is suspected.