Clicking on the name of the query will bring you to the file for it in this git repo.
Or try them out right away in your M365 Security tenant:
Click on the '🔎' hotlink to plug the query right into your Advanced Hunting Query page
- One rule to detect the most common initial access and execution methods
- Looks for uncommon parent/child process combinations
- Adapted from from Florian Roth's ("God Mode Sigma Rule")
- Still too many false positives to turn into a detection rule
- Missing some things from the original rule
- For each service installation, check the global prevalence of the service executable
- Idea from mRr3b00t @UK_Daniel_Card (link to tweet)
- Query is slow and the join needs more scrutiny for correctness
- Looks for network connections initiated from the System process
- A common TTP associated with this traffic is exploiting WebDAV to download malware
- Emotet example:
rundll32.exe C:\windows\system32\davclnt.dll,DavSetCookie 127.0.0.1 hxxp://127.0.0[.]1/$/users/public/malware[.]exe
- Still some false positives
- Hard to investigate; needs a recommended investigation process or additional querying for context