BertJanCyber Profile picture
Jan 23 3 tweets 3 min read
New #KQL queries.

1. Detect Executable Files in C:\Users\Public*
2. ASR Executable Office Content
3. Hunt for AsyncRAT Initial Access
4. C2 IP Intel Feed
5. C2 Domain Intel Feed

For queries see below! Happy hunting! 🏹

#MDE #Sentinel
github.com/Bert-JanP/Hunt…
1. Based on the tweet from @malmoeb and research from @Mandiant, identify rare executables in the C:\Users\Public\* folders.

github.com/Bert-JanP/Hunt…

2. github.com/Bert-JanP/Hunt…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with BertJanCyber

BertJanCyber Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @BertJanCyber

Dec 19, 2022
In the last months, I have collected some awesome new #KQL sources, and this 🧵lists them.
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Type: Query
By: @msftsecurity
Link: github.com/Azure/Azure-Se…
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
Type: Query
By: @reprise_99
Link: github.com/reprise99/Sent…
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
Read 14 tweets
Jun 27, 2022
Are you using any of the Microsoft Security products and/or #Sentinel? Then this thread is for you! The best resources for #KQL Advanced Hunting Queries or Analytics rules in my opinion.
#MDE #ThreatHunting #Detection #DFIR
github.com/reprise99/Sent… by @reprise_99. Awsome source! With the #365daysofkql series a lot of useful queries have been added. The queries are categorized by the different Microsoft products.
github.com/Azure/Azure-Se… by @msftsecurity. A lot of KQL queries can be found here, all of which are categorised on the basis of @MITREattack tactics.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(