• CVE-2021-40444 MSHTML and other potential malicious processes originating from MS products (Data Lake)

    reg1nleifr
    reg1nleifr
    • Threat Hunting
    • Under Review on 9 Sep 2021
    • 1 Comment
    Query we've used for looking for possible MSHTML related activity. You can add additional programs to the where clause and filter out false positives using the having clause. The rule is mainly based on the idea of this sigma rule: https://github.com...
    • 9 Sep 2021 11:41 AM
  • Query for CVE-2021-40444 MSHTML Process Event

    JeramyKopacko
    JeramyKopacko
    • Threat Hunting
    • Approved on 13 Jul 2022
    • 0 Comments
    This query will look for a process event that has been associated with this attack. WinWord.exe has launched a child process called "control.exe" and has been seen in the wild with this vulnerability. This does NOT guarantee you've been breached but...
    • 8 Sep 2021 8:57 PM
  • Query if CVE-2021-40444 MSHTML Mitigations Are Applied

    JeramyKopacko
    JeramyKopacko
    • Threat Hunting
    • Under Review on 8 Sep 2021
    • 0 Comments
    The current vulnerability CVE-2021-40444 MSHTML is a zero-day and is awaiting a patch. You should consider the Microsoft guidance in their Security Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 This query will...
    • 8 Sep 2021 6:54 PM
  • querie with file movements, on computers, to external storage

    Victor Domingo
    Victor Domingo
    • Queries
    • Under Review on 2 Sep 2021
    • 0 Comments
    It's possible ? be able to see the movements of all files on all computers to external storage.
    • 2 Sep 2021 11:42 AM
  • Live Response: Controlling Windows Firewall Using Netsh

    JeramyKopacko
    JeramyKopacko
    • Live Response
    • Under Review on 1 Sep 2021
    • 0 Comments
    Imagine a scenario where you discover vulnerable ports or need to temporarily block an application, port, or other. Many environments will leverage GPOs to set their profiles and exceptions. On the fly, we can make changes in real-time to protect the...
    • 1 Sep 2021 11:18 PM
  • Geolocate Device

    Paul Lawrence
    Paul Lawrence
    • Device
    • Approved on 25 Feb 2022
    • 0 Comments
    This simple query leverages Live Discover using cURL to geolocate devices. Here's how it works: cURLs out to ifconfig.me/ip to grab the devices' WAN IPs using the response of step one as input, cURLS out to ipapi.co to find location information...
    • 1 Sep 2021 12:25 PM
  • Query - IOCĀ“s From GitHub list

    Rafael Moura
    Rafael Moura
    • Threat Hunting
    • Under Review on 24 Aug 2021
    • 2 Comments
    /* Desc: Number of Hours of activity to search / TYPE: String / SQLVAR: $$Number of Hours of activity to search$$ Desc: RAW IOC List location from a URL / TYPE: String / SQLVAR: $$RAW IOC List location from a URL$$ / Value: ... Desc: Start Search From...
    • 24 Aug 2021 8:56 PM
  • Decoding message_attachments from the xdr_xge_att_data table

    Sevensix
    Sevensix
    • Data Lake
    • Under Review on 19 Aug 2021
    • 0 Comments
    Hello Forum, I'm trying to decode the message_attachments from the xdr_xge_att_data table. If you query, you get a result which looks like JSON but it seems is not. I tried with JSON queries like this: CAST (" message_attachments " as JSON), json_extract...
    • 19 Aug 2021 1:58 PM
  • Compare Specific Program Version

    JeramyKopacko
    JeramyKopacko
    • Device
    • Approved on 16 Sep 2021
    • 0 Comments
    This query is leveraged in our recommended read to assist in auditing unsupported software. Credit to Jainidhya for assembling this little beauty. Set variable as $$Version$$ with type 'string' and another variable as $$Name$$ with type 'string' Once...
    • 18 Aug 2021 2:21 AM
  • T1078 - CVE-2020-1472 - Netlogon

    JeramyKopacko
    JeramyKopacko
    • Threat Hunting
    • Under Review on 16 Aug 2021
    • 0 Comments
    This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs. This query will search and detect Windows vulnerability affecting the Netlogon feature. Sophos Security Bulletin: https://community.sophos.com...
    • 16 Aug 2021 9:36 PM
<>