Detection Library
Every technique ships with a runnable Microsoft Defender / Sentinel KQL query; 30 techniques with file or memory artifacts also ship a validated YARA rule. Choose a phase to view its rules, or jump straight from the coverage matrix.
52 KQL queries
Advanced Hunting across DeviceProcess, File, Registry, Network, Logon & Identity tables.
30 YARA rules
All compile cleanly; behavioural/network-only techniques are KQL-only by design.
1:1 mapping
Every rule ties to a single MalChain technique ID. Click a row to open it.
Coverage matrix
Every technique has a KQL query; 30 also have a YARA rule. Select any row to open its rule below.
Rules by phase
IngressING
How malware enters systems. 7 techniques · copy any rule below.
// Removable Media: execution or executable drop from removable drives
DeviceFileEvents
| where Timestamp > ago(14d)
| where InitiatingProcessAccountName != "system"
| where FolderPath matches regex @"^[D-Z]:\\" and (FileName endswith ".exe" or FileName endswith ".lnk" or FileName endswith ".scr" or FileName == "autorun.inf")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, SHA256
| join kind=leftouter (
DeviceProcessEvents | where FolderPath matches regex @"^[D-Z]:\\"
| project DeviceName, ExecFolder=FolderPath, ProcessCommandLine
) on DeviceNamerule MC_ING_01_Removable_Media_Autorun
{
meta:
author = "MalChain"
technique = "MC-ING-01 Removable Media & File Transfer"
description = "Autorun.inf abusing removable media to auto-launch a payload"
strings:
$a = "[autorun]" ascii nocase
$b = "open=" ascii nocase
$c = "shellexecute=" ascii nocase
$d = "shell\\open\\command" ascii nocase
$exe = ".exe" ascii nocase
condition:
$a and 1 of ($b,$c,$d) and $exe
}// Malvertising / Drive-by: browser spawning script interpreters or writing executables
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","firefox.exe","iexplore.exe","brave.exe")
| where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountNamerule MC_ING_02_Malvertising_HTA_Dropper
{
meta:
author = "MalChain"
technique = "MC-ING-02 Malvertising & Drive-By Downloads"
description = "HTA/JS drive-by dropper invoking script hosts or downloads"
strings:
$hta = "<hta:application" ascii nocase
$ws = "WScript.Shell" ascii nocase
$ado = "ADODB.Stream" ascii nocase
$xhr = "MSXML2.XMLHTTP" ascii nocase
$ps = "powershell" ascii nocase
condition:
($hta or $ws) and 2 of ($ado,$xhr,$ps)
}// Supply Chain: unexpected child process from a signed updater / installer
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName has_any ("update","installer","setup","msiexec.exe")
| where FileName in~ ("powershell.exe","cmd.exe","wscript.exe","cscript.exe","rundll32.exe","regsvr32.exe","bitsadmin.exe","curl.exe","certutil.exe")
| where ProcessCommandLine has_any ("http://","https://","-enc","DownloadString","Invoke-WebRequest")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLinerule MC_ING_03_Supply_Chain_Installer_Backdoor
{
meta:
author = "MalChain"
technique = "MC-ING-03 Supply Chain Compromise"
description = "Installer/updater carrying embedded shell or download logic"
strings:
$u1 = "cmd.exe /c" ascii nocase
$u2 = "powershell -" ascii nocase
$u3 = "DownloadString" ascii nocase
$u4 = "certutil -urlcache" ascii nocase
$msi = "Windows Installer" ascii nocase
condition:
$msi and 2 of ($u1,$u2,$u3,$u4)
}// Credential Abuse: successful sign-ins from anomalous locations / impossible travel (identity)
IdentityLogonEvents
| where Timestamp > ago(7d)
| where ActionType == "LogonSuccess"
| summarize Countries=dcount(tostring(parse_json(AdditionalFields).Country)), Locations=make_set(tostring(parse_json(AdditionalFields).Country)) by AccountUpn, bin(Timestamp, 1h)
| where Countries > 1
| project Timestamp, AccountUpn, Countries, Locations// Malicious USB: new PnP HID / storage device followed by rapid process execution
DeviceEvents
| where Timestamp > ago(14d)
| where ActionType in ("PnpDeviceConnected","UsbDriveMounted")
| project ConnectTime=Timestamp, DeviceName, AdditionalFields
| join kind=inner (
DeviceProcessEvents
| where FileName in~ ("cmd.exe","powershell.exe","wscript.exe","mshta.exe")
| project ExecTime=Timestamp, DeviceName, FileName, ProcessCommandLine
) on DeviceName
| where ExecTime between (ConnectTime .. (ConnectTime + 2m))rule MC_ING_05_BadUSB_HID_Payload
{
meta:
author = "MalChain"
technique = "MC-ING-05 Malicious or Compromised USB Devices"
description = "Rubber Ducky / BadUSB keystroke-injection script artifacts"
strings:
$d1 = "DELAY " ascii
$d2 = "STRING " ascii
$d3 = "GUI r" ascii
$d4 = "ENTER" ascii
$d5 = "duckyscript" ascii nocase
condition:
$d5 or (3 of ($d1,$d2,$d3,$d4))
}// Watering Hole: navigation to a compromised site then payload retrieval
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","firefox.exe")
| where RemoteUrl has_any (".hta",".jar",".ps1",".js",".vbs",".scr")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileNamerule MC_ING_06_Watering_Hole_Injected_Script
{
meta:
author = "MalChain"
technique = "MC-ING-06 Watering Hole Attacks"
description = "Obfuscated JS injected into web content for selective delivery"
strings:
$s1 = "eval(" ascii
$s2 = "String.fromCharCode(" ascii
$s3 = "unescape(" ascii
$s4 = "document.write(" ascii
$s5 = "atob(" ascii
condition:
3 of them
}// External Remote Services: external RDP/VPN success followed by admin tool use
DeviceLogonEvents
| where Timestamp > ago(7d)
| where LogonType in ("RemoteInteractive","Network") and ActionType == "LogonSuccess"
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, AccountName, RemoteIP, LogonTypeActivationACT
Running malicious code. 7 techniques · copy any rule below.
// User-Executed Files: process launched from Downloads/Temp by a user session
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any (@"\Downloads\", @"\Temp\", @"\AppData\Local\Temp\", @"\Users\Public\")
| where InitiatingProcessFileName in~ ("explorer.exe","outlook.exe","winrar.exe","7zFM.exe")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, ProcessCommandLine, SHA256rule MC_ACT_01_Office_Macro_Executor
{
meta:
author = "MalChain"
technique = "MC-ACT-01 User-Executed Files"
description = "Office document with auto-exec VBA spawning a shell"
strings:
$a1 = "AutoOpen" ascii nocase
$a2 = "Document_Open" ascii nocase
$a3 = "Auto_Open" ascii nocase
$s1 = "Shell(" ascii nocase
$s2 = "WScript.Shell" ascii nocase
$s3 = "CreateObject" ascii nocase
condition:
1 of ($a*) and 1 of ($s*)
}// Script-Based Execution: encoded / obfuscated interpreter command lines
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe")
| where ProcessCommandLine has_any ("-enc","-e ","FromBase64String","IEX","Invoke-Expression","-nop","-w hidden","bypass","DownloadString")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileNamerule MC_ACT_02_Obfuscated_Script
{
meta:
author = "MalChain"
technique = "MC-ACT-02 Script-Based Execution"
description = "Base64/encoded PowerShell or script-based in-memory execution"
strings:
$p1 = "FromBase64String" ascii nocase
$p2 = "-enc" ascii nocase
$p3 = "IEX" ascii
$p4 = "Invoke-Expression" ascii nocase
$p5 = "-w hidden" ascii nocase
$p6 = "-nop" ascii nocase
condition:
2 of them
}// Service-Based Execution: new service created for code execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "sc.exe" and ProcessCommandLine has "create"
or (InitiatingProcessFileName =~ "services.exe" and FileName in~ ("cmd.exe","powershell.exe"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName// DLL Side-Loading: signed app loading an unsigned DLL from its own directory
DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFolderPath !startswith "C:\\Windows"
| where FolderPath =~ InitiatingProcessFolderPath
| where isempty(Signer) or SignatureStatus != "Valid"
| where FileName endswith ".dll"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath, SignatureStatusrule MC_ACT_04_DLL_SideLoad_Proxy
{
meta:
author = "MalChain"
technique = "MC-ACT-04 DLL Side-Loading or Hijacking"
description = "Proxy DLL exporting forwarders plus payload staging APIs"
strings:
$e1 = "LoadLibraryA" ascii
$e2 = "GetProcAddress" ascii
$f1 = ".dll" ascii nocase
$a1 = "VirtualProtect" ascii
$a2 = "CreateThread" ascii
condition:
uint16(0) == 0x5A4D and $e1 and $e2 and $f1 and 1 of ($a*)
}// WMI-Based Execution: wmiprvse spawning interpreters (remote/lateral exec)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName in~ ("powershell.exe","cmd.exe","wscript.exe","mshta.exe","rundll32.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine// Browser Extension Execution: new/modified extension manifest with broad permissions
DeviceFileEvents
| where Timestamp > ago(14d)
| where FolderPath has_any (@"\Extensions\", @"\Extension Settings\")
| where FileName in~ ("manifest.json","background.js","content.js")
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, SHA256rule MC_ACT_06_Malicious_Browser_Extension
{
meta:
author = "MalChain"
technique = "MC-ACT-06 Browser Extension Execution"
description = "Extension manifest requesting broad permissions + remote code"
strings:
$m = "manifest_version" ascii
$p1 = "\"<all_urls>\"" ascii
$p2 = "webRequest" ascii
$p3 = "tabs" ascii
$c1 = "eval(" ascii
$c2 = "chrome.runtime.onMessage" ascii
condition:
$m and 1 of ($p*) and 1 of ($c*)
}// Boot / Firmware Execution: bootloader / BCD tampering utilities
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("bcdedit.exe","bootcfg.exe","mountvol.exe") and ProcessCommandLine has_any ("set","/set","testsigning","nointegritychecks")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLineAnchoringANC
Maintaining presence. 8 techniques · copy any rule below.
// Startup & Logon: Run key or Startup-folder persistence created
union
(DeviceRegistryEvents
| where ActionType in ("RegistryValueSet","RegistryKeyCreated")
| where RegistryKey has_any (@"\CurrentVersion\Run", @"\CurrentVersion\RunOnce", @"\Winlogon")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName),
(DeviceFileEvents
| where FolderPath has @"\Start Menu\Programs\Startup\"
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName)// Scheduled & Triggered: task created via schtasks/PowerShell with suspicious action
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ "schtasks.exe" and ProcessCommandLine has "/create")
or (FileName in~ ("powershell.exe","pwsh.exe") and ProcessCommandLine has "Register-ScheduledTask")
| where ProcessCommandLine has_any ("powershell","cmd","mshta","rundll32","http","AppData","Temp")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine// Service & Daemon Persistence: auto-start service pointing to user-writable path
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey has @"\Services\" and RegistryValueName == "ImagePath"
| where RegistryValueData has_any (@"\Users\", @"\Temp\", @"\AppData\", @"\ProgramData\", "powershell", "cmd /c")
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName// Registry-Based Persistence: less-common autostart locations
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey has_any (@"\Image File Execution Options", @"\AppInit_DLLs", @"\Userinit", @"\Shell", @"\CurrentVersion\Policies\Explorer\Run")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName// Browser-Based Persistence: registry-forced extension load / DebuggerPath
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey has_any (@"\ExtensionInstallForcelist", @"\Chrome\NativeMessagingHosts", @"\Edge\NativeMessagingHosts")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName// WMI Event Subscription Persistence: permanent consumer/binding creation
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_any ("__EventFilter","CommandLineEventConsumer","ActiveScriptEventConsumer","__FilterToConsumerBinding","root\subscription")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLinerule MC_ANC_06_WMI_Event_Consumer
{
meta:
author = "MalChain"
technique = "MC-ANC-06 WMI & Event Subscription Persistence"
description = "Script creating permanent WMI event subscription persistence"
strings:
$a = "__EventFilter" ascii nocase
$b = "CommandLineEventConsumer" ascii nocase
$c = "ActiveScriptEventConsumer" ascii nocase
$d = "__FilterToConsumerBinding" ascii nocase
$e = "root\\subscription" ascii nocase
condition:
2 of them
}// Fileless & In-Memory Persistence: registry blob storing encoded payload
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where strlen(RegistryValueData) > 2048
| where RegistryValueData matches regex @"[A-Za-z0-9+/]{500,}={0,2}"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, DataLen=strlen(RegistryValueData), InitiatingProcessFileNamerule MC_ANC_07_Fileless_Registry_Payload_Loader
{
meta:
author = "MalChain"
technique = "MC-ANC-07 Fileless & In-Memory Persistence"
description = "Loader reading an encoded payload from the registry into memory"
strings:
$r1 = "Get-ItemProperty" ascii nocase
$r2 = "RegOpenKeyEx" ascii
$b1 = "FromBase64String" ascii nocase
$m1 = "VirtualAlloc" ascii
$m2 = "[Reflection.Assembly]::Load" ascii nocase
condition:
(1 of ($r*)) and $b1 and (1 of ($m*))
}// Boot & Pre-OS Persistence: bootkit / raw disk write tooling
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("bcdedit.exe","bootim.exe","reagentc.exe") and ProcessCommandLine has_any ("set","disable","/set")
or ProcessCommandLine has_any (@"\.\PhysicalDrive0", "\Device\Harddisk0")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLineConcealmentCON
Avoiding detection. 10 techniques · copy any rule below.
// Obfuscation & Packing: newly written PE with very high entropy sections
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any (@"\Temp\", @"\AppData\", @"\ProgramData\", @"\Users\Public\")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
// Pivot SHA256 into a sandbox/entropy source; alert on packer indicators (UPX/MPRESS/Themida)rule MC_CON_01_Packed_Executable
{
meta:
author = "MalChain"
technique = "MC-CON-01 Obfuscation & Packing"
description = "Common runtime packer section names in a PE"
strings:
$upx0 = "UPX0" ascii
$upx1 = "UPX1" ascii
$mpress = ".MPRESS1" ascii
$aspack = ".aspack" ascii
$themida = "Themida" ascii nocase
$petite = ".petite" ascii
condition:
uint16(0) == 0x5A4D and 1 of them
}// Fileless Execution: interpreter with no file, downloading & running in memory
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe","pwsh.exe")
| where ProcessCommandLine has_any ("IEX","Invoke-Expression","DownloadString","Reflection.Assembly","[Convert]::FromBase64String","VirtualAlloc")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileNamerule MC_CON_02_Fileless_Reflective_Loader
{
meta:
author = "MalChain"
technique = "MC-CON-02 Fileless Malware Execution"
description = "In-memory reflective loading / shellcode allocation primitives"
strings:
$a1 = "VirtualAlloc" ascii
$a2 = "VirtualAllocEx" ascii
$a3 = "RtlMoveMemory" ascii
$a4 = "CreateThread" ascii
$a5 = "[Reflection.Assembly]::Load" ascii nocase
$a6 = "ReflectiveLoader" ascii
condition:
3 of them
}// Security Tool Tampering: defender / EDR service or exclusion manipulation
union
(DeviceProcessEvents
| where ProcessCommandLine has_any ("Set-MpPreference","DisableRealtimeMonitoring","Add-MpPreference -ExclusionPath","sc stop","net stop") and ProcessCommandLine has_any ("defender","sense","windefend","MsMpEng","exclusion")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine),
(DeviceRegistryEvents
| where RegistryKey has @"\Windows Defender" and RegistryValueName in ("DisableAntiSpyware","DisableRealtimeMonitoring")
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName)rule MC_CON_03_Security_Tool_Tampering
{
meta:
author = "MalChain"
technique = "MC-CON-03 Security Tool Tampering"
description = "Commands disabling AV/EDR or adding exclusions"
strings:
$a = "Set-MpPreference" ascii nocase
$b = "DisableRealtimeMonitoring" ascii nocase
$c = "Add-MpPreference -ExclusionPath" ascii nocase
$d = "sc stop WinDefend" ascii nocase
$e = "DisableAntiSpyware" ascii nocase
condition:
1 of them
}// Masquerading: system-named binary running from a non-system path
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe","lsass.exe","services.exe","csrss.exe","winlogon.exe","explorer.exe")
| where FolderPath !startswith "C:\\Windows"
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, SHA256rule MC_CON_04_Masquerade_System_Name
{
meta:
author = "MalChain"
technique = "MC-CON-04 Masquerading & Impersonation"
description = "PE claiming a core Windows original filename but lacking MS company"
strings:
$n1 = "svchost.exe" wide ascii nocase
$n2 = "lsass.exe" wide ascii nocase
$n3 = "services.exe" wide ascii nocase
$ms = "Microsoft Corporation" wide ascii
condition:
uint16(0) == 0x5A4D and 1 of ($n*) and not $ms
}// Sandbox / Environment Evasion: reconnaissance of VM & analysis artifacts
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("vmware","vbox","virtualbox","qemu","sbiedll","wireshark","procmon","Win32_ComputerSystem","NumberOfCores")
| where FileName in~ ("wmic.exe","powershell.exe","reg.exe","cmd.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLinerule MC_CON_05_Sandbox_Evasion_Strings
{
meta:
author = "MalChain"
technique = "MC-CON-05 Environment & Sandbox Evasion"
description = "Anti-VM / anti-analysis artifact strings"
strings:
$v1 = "VBoxGuest" ascii nocase
$v2 = "vmware" ascii nocase
$v3 = "vmtoolsd" ascii nocase
$v4 = "SbieDll.dll" ascii nocase
$v5 = "QEMU" ascii
$v6 = "IsDebuggerPresent" ascii
$v7 = "CheckRemoteDebuggerPresent" ascii
condition:
3 of them
}// Process Injection: cross-process handle open + remote thread indicators
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall","WriteToLsassProcessMemory","QueueUserApcRemoteApiCall","SetThreadContextRemoteApiCall")
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName, FileName, AdditionalFieldsrule MC_CON_06_Process_Injection_Primitives
{
meta:
author = "MalChain"
technique = "MC-CON-06 Process Injection"
description = "Classic remote-injection / process-hollowing API set"
strings:
$a1 = "OpenProcess" ascii
$a2 = "VirtualAllocEx" ascii
$a3 = "WriteProcessMemory" ascii
$a4 = "CreateRemoteThread" ascii
$a5 = "NtUnmapViewOfSection" ascii
$a6 = "SetThreadContext" ascii
$a7 = "QueueUserAPC" ascii
condition:
uint16(0) == 0x5A4D and 3 of them
}// Polymorphism/Metamorphism: many distinct hashes, same filename across fleet
DeviceFileEvents
| where Timestamp > ago(14d)
| where ActionType == "FileCreated"
| summarize DistinctHashes=dcount(SHA256), Hosts=dcount(DeviceName) by FileName
| where DistinctHashes > 10 and Hosts > 3
| project FileName, DistinctHashes, Hostsrule MC_CON_07_Polymorphic_Loader
{
meta:
author = "MalChain"
technique = "MC-CON-07 Polymorphism & Metamorphism"
description = "Self-modifying / runtime-decrypting loader primitives"
strings:
$a1 = "VirtualProtect" ascii
$a2 = "WriteProcessMemory" ascii
$x1 = { 33 ?? 88 ?? ?? 40 } // xor/store/inc decrypt-loop shape
$x2 = { 80 34 ?? ?? 40 3B } // xor byte ptr [reg+key]; inc; cmp
condition:
uint16(0) == 0x5A4D and 1 of ($a*) and 1 of ($x*)
}// Log & Artifact Manipulation: event-log clearing
union
(DeviceProcessEvents
| where (FileName =~ "wevtutil.exe" and ProcessCommandLine has_any ("cl ","clear-log"))
or (FileName in~ ("powershell.exe","pwsh.exe") and ProcessCommandLine has "Clear-EventLog")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine),
(DeviceEvents | where ActionType == "SecurityLogCleared" | project Timestamp, DeviceName, ActionType, InitiatingProcessFileName)rule MC_CON_08_Log_Manipulation
{
meta:
author = "MalChain"
technique = "MC-CON-08 Log & Artifact Manipulation"
description = "Event log clearing / tampering commands"
strings:
$a = "wevtutil cl" ascii nocase
$b = "Clear-EventLog" ascii nocase
$c = "wevtutil clear-log" ascii nocase
$d = "Remove-EventLog" ascii nocase
condition:
1 of them
}// Living-off-the-Land for Evasion: proxy execution via trusted binaries
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("regsvr32.exe","rundll32.exe","mshta.exe","installutil.exe","msbuild.exe","certutil.exe","regasm.exe","regsvcs.exe")
| where ProcessCommandLine has_any ("http","scrobj","javascript:","-decode","-urlcache","/i:","AppData","Temp")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLinerule MC_CON_09_LOLBin_Proxy_Execution
{
meta:
author = "MalChain"
technique = "MC-CON-09 Living-off-the-Land for Evasion"
description = "LOLBin proxy-execution command patterns"
strings:
$a = "regsvr32" ascii nocase
$s = "scrobj.dll" ascii nocase
$b = "mshta" ascii nocase
$j = "javascript:" ascii nocase
$c = "certutil" ascii nocase
$u = "-urlcache" ascii nocase
condition:
($a and $s) or ($b and $j) or ($c and $u)
}// Anti-Forensics: shadow copy deletion & timestomping
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("vssadmin delete shadows","wmic shadowcopy delete","Delete-VssShadow","fsutil usn deletejournal","bcdedit /set {default} recoveryenabled no","wbadmin delete catalog")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLinerule MC_CON_10_AntiForensics_Cleanup
{
meta:
author = "MalChain"
technique = "MC-CON-10 Anti-Forensics & Cleanup"
description = "Shadow copy deletion / recovery disabling / journal wipe"
strings:
$a = "vssadmin delete shadows" ascii nocase
$b = "wmic shadowcopy delete" ascii nocase
$c = "wbadmin delete catalog" ascii nocase
$d = "fsutil usn deletejournal" ascii nocase
$e = "recoveryenabled no" ascii nocase
condition:
1 of them
}ExpansionEXP
Spreading within networks. 10 techniques · copy any rule below.
// LotL Lateral Movement: remote exec tools launched to another host
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("psexec.exe","psexesvc.exe","wmic.exe","winrs.exe") or (FileName in~ ("powershell.exe","pwsh.exe") and ProcessCommandLine has_any ("Invoke-Command","New-PSSession","-ComputerName","Enter-PSSession"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine// Credential Reuse & Relay: same account authenticating to many hosts quickly
DeviceLogonEvents
| where Timestamp > ago(1d)
| where ActionType == "LogonSuccess" and LogonType in ("Network","RemoteInteractive")
| summarize Hosts=dcount(DeviceName), HostSet=make_set(DeviceName,20) by AccountName, bin(Timestamp, 15m)
| where Hosts >= 5
| project Timestamp, AccountName, Hosts, HostSet// Pass-the-Hash / Pass-the-Ticket: NTLM/Kerberos logon anomalies from lsass access
DeviceLogonEvents
| where Timestamp > ago(3d)
| where LogonType == "Network" and ActionType == "LogonSuccess"
| where isempty(RemoteIP) == false
| join kind=inner (DeviceEvents | where ActionType == "OpenProcessApiCall" and FileName =~ "lsass.exe" | project DeviceName, Timestamp) on DeviceName
| project Timestamp, DeviceName, AccountName, RemoteIP, LogonTyperule MC_EXP_03_Credential_Ticket_Tooling
{
meta:
author = "MalChain"
technique = "MC-EXP-03 Pass-the-Hash / Pass-the-Ticket"
description = "Mimikatz/Rubeus PtH/PtT command artifacts"
strings:
$a = "sekurlsa::pth" ascii nocase
$b = "sekurlsa::logonpasswords" ascii nocase
$c = "kerberos::ptt" ascii nocase
$d = "asktgt" ascii nocase
$e = "Rubeus" ascii
condition:
1 of them
}// Remote Service & Protocol Abuse: remote service creation over the network
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "sc.exe" and ProcessCommandLine has_any (@"\\", "\\") and ProcessCommandLine has "create"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine// Network Share Propagation: writes of executables to admin/hidden shares
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath matches regex @"\\\\[^\\]+\\(ADMIN\$|C\$|IPC\$)"
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".bat"
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, SHA256// Worm-like Self-Propagation: one process writing identical binary to many hosts/shares
DeviceFileEvents
| where Timestamp > ago(2d)
| where ActionType == "FileCreated" and (FileName endswith ".exe" or FileName endswith ".dll")
| summarize Targets=dcount(DeviceName), Paths=dcount(FolderPath) by SHA256, InitiatingProcessFileName
| where Targets > 5 or Paths > 20
| project SHA256, InitiatingProcessFileName, Targets, Pathsrule MC_EXP_06_Worm_SelfPropagation
{
meta:
author = "MalChain"
technique = "MC-EXP-06 Worm-like Self-Propagation"
description = "Self-copy to network shares / removable drives via enumeration"
strings:
$a1 = "WNetAddConnection2" ascii
$a2 = "GetLogicalDrives" ascii
$a3 = "CopyFile" ascii
$s1 = "\\ADMIN$" ascii nocase
$s2 = "\\C$" ascii nocase
$s3 = "autorun.inf" ascii nocase
condition:
uint16(0) == 0x5A4D and 1 of ($a*) and 1 of ($s*)
}// Privilege Escalation Across Hosts: token/UAC bypass & elevation tooling
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("SeDebugPrivilege","fodhelper.exe","eventvwr.exe","computerdefaults.exe","sdclt.exe","Invoke-TokenManipulation","getsystem")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName// Identity & Trust Relationship Abuse: golden/silver ticket & delegation abuse recon
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("kerberos::golden","kerberos::ptt","Add-KrbtgtKey","asktgt","s4u","/impersonateuser","Rubeus")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLinerule MC_EXP_08_Kerberos_Trust_Abuse
{
meta:
author = "MalChain"
technique = "MC-EXP-08 Identity & Trust Relationship Abuse"
description = "Golden/silver ticket and delegation abuse artifacts"
strings:
$a = "kerberos::golden" ascii nocase
$b = "kerberos::silver" ascii nocase
$c = "/krbtgt" ascii nocase
$d = "s4u" ascii nocase
$e = "/impersonateuser" ascii nocase
condition:
1 of them
}// Directory Services Targeting: DCSync / mass LDAP enumeration
union
(DeviceProcessEvents
| where ProcessCommandLine has_any ("lsadump::dcsync","dcsync","GetNCChanges","Get-ADReplAccount")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine),
(IdentityDirectoryEvents
| where ActionType == "Directory Services replication"
| project Timestamp, DeviceName=TargetDeviceName, AccountName=AccountUpn, ActionType)rule MC_EXP_09_DCSync_Directory_Attack
{
meta:
author = "MalChain"
technique = "MC-EXP-09 Directory Services Targeting"
description = "DCSync / directory replication abuse artifacts"
strings:
$a = "lsadump::dcsync" ascii nocase
$b = "GetNCChanges" ascii
$c = "DsGetNCChanges" ascii
$d = "Get-ADReplAccount" ascii nocase
condition:
1 of them
}// Cloud & Hybrid Lateral Movement: on-prem host reaching cloud IMDS / token endpoints
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("169.254.169.254","login.microsoftonline.com","sts.amazonaws.com","metadata.google.internal")
| where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe","curl.exe","python.exe","cmd.exe")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLineExtractionEXT
Stealing data. 10 techniques · copy any rule below.
// HTTP/HTTPS Exfil: large outbound upload to rare external host
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType == "ConnectionSuccess" and RemoteIPType == "Public"
| summarize SentBytes=sum(tolong(coalesce(SentBytes,0))) by DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, bin(Timestamp,1h)
| where SentBytes > 50000000
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, SentBytes, InitiatingProcessFileName// DNS Tunneling: long / high-entropy subdomains and high query volume
DeviceNetworkEvents
| where Timestamp > ago(3d)
| where ActionType == "DnsQueryResponse" or isnotempty(RemoteUrl)
| extend Sub = tostring(split(RemoteUrl, ".")[0])
| where strlen(Sub) > 30
| summarize Queries=count(), MaxLen=max(strlen(Sub)) by DeviceName, Domain=strcat(tostring(split(RemoteUrl,".")[-2]),".",tostring(split(RemoteUrl,".")[-1])), bin(Timestamp,1h)
| where Queries > 100
| project Timestamp, DeviceName, Domain, Queries, MaxLenrule MC_EXT_02_DNS_Tunnel_Tooling
{
meta:
author = "MalChain"
technique = "MC-EXT-02 DNS Tunneling"
description = "Known DNS-tunnel tool markers / DNS TXT exfil routines"
strings:
$a = "iodine" ascii nocase
$b = "dnscat" ascii nocase
$c = "dns2tcp" ascii nocase
$t = "DNS_TYPE_TXT" ascii
$q = "DnsQuery_A" ascii
condition:
1 of ($a,$b,$c) or ($t and $q)
}// Cloud Storage Abuse: upload utilities / SDKs contacting cloud storage
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("s3.amazonaws.com","blob.core.windows.net","storage.googleapis.com","dropboxapi.com","drive.google.com","mega.nz")
| where InitiatingProcessFileName in~ ("powershell.exe","curl.exe","rclone.exe","python.exe","cmd.exe","aws.exe")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine// Messaging/Social Channels: exfil via Telegram/Discord/webhook APIs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("api.telegram.org","discord.com/api/webhooks","discordapp.com/api/webhooks","hooks.slack.com","pastebin.com")
| where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","teams.exe","slack.exe","discord.exe")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLinerule MC_EXT_04_Messaging_Channel_Exfil
{
meta:
author = "MalChain"
technique = "MC-EXT-04 Messaging and Social Platform Channels"
description = "Hardcoded Telegram/Discord webhook exfil endpoints"
strings:
$a = "api.telegram.org/bot" ascii nocase
$b = "discord.com/api/webhooks" ascii nocase
$c = "discordapp.com/api/webhooks" ascii nocase
$d = "hooks.slack.com/services" ascii nocase
condition:
1 of them
}// FTP/SFTP/FTPS Transfer: command-line FTP clients to external hosts
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("ftp.exe","winscp.com","winscp.exe","pscp.exe","psftp.exe","curl.exe") and ProcessCommandLine has_any ("ftp://","sftp://","ftps://","-put","put ")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine// Tor / Proxy / VPN Anonymization: connections to Tor / anonymizer infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (".onion","torproject.org") or InitiatingProcessFileName in~ ("tor.exe","obfs4proxy.exe","psiphon.exe")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileNamerule MC_EXT_06_Tor_Anonymizer_Artifacts
{
meta:
author = "MalChain"
technique = "MC-EXT-06 Tor / Proxy / VPN Anonymization Channels"
description = "Embedded Tor / onion routing artifacts"
strings:
$a = ".onion" ascii nocase
$b = "tor.exe" ascii nocase
$c = "obfs4proxy" ascii nocase
$d = "SOCKS5" ascii
$e = "torrc" ascii nocase
condition:
2 of them
}// Encrypted C2: periodic beaconing (regular interval, small jitter) to one host
DeviceNetworkEvents
| where Timestamp > ago(2d) and RemoteIPType == "Public" and ActionType == "ConnectionSuccess"
| summarize Beacons=count(), Intervals=make_list(Timestamp,200) by DeviceName, RemoteIP, InitiatingProcessFileName
| where Beacons > 50
| project DeviceName, RemoteIP, InitiatingProcessFileName, Beacons
// Post-process Intervals for low standard-deviation to confirm beaconingrule MC_EXT_07_Encrypted_C2_Config
{
meta:
author = "MalChain"
technique = "MC-EXT-07 Encrypted Command-and-Control Channels"
description = "Beacon/C2 config primitives and known malleable markers"
strings:
$a = "User-Agent:" ascii
$b = "WinHttpConnect" ascii
$c = "InternetOpenA" ascii
$bk = "beacon.dll" ascii nocase
$mz = "ReflectiveLoader" ascii
condition:
uint16(0) == 0x5A4D and ($bk or $mz or (2 of ($a,$b,$c)))
}// Removable Media Data Extraction: bulk copy of documents to removable drive
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated" and FolderPath matches regex @"^[D-Z]:\\"
| where FileName has_any (".docx",".xlsx",".pdf",".pst",".zip",".7z",".sql",".csv")
| summarize Files=count(), Bytes=sum(tolong(coalesce(FileSize,0))) by DeviceName, InitiatingProcessAccountName, bin(Timestamp,10m)
| where Files > 25
| project Timestamp, DeviceName, InitiatingProcessAccountName, Files, Bytes// Steganographic Data Transfer: stego tooling / image files with appended data
DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName in~ ("steghide.exe","openstego.exe","outguess.exe","zsteg.exe") or ProcessCommandLine has_any ("steghide","Add-Content -Encoding Byte","copy /b image","Invoke-PSImage")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLinerule MC_EXT_09_Steganography_Tooling
{
meta:
author = "MalChain"
technique = "MC-EXT-09 Steganographic Data Transfer"
description = "Steganography tools / PS image-embedding routines"
strings:
$a = "steghide" ascii nocase
$b = "OpenStego" ascii nocase
$c = "Invoke-PSImage" ascii nocase
$d = "outguess" ascii nocase
condition:
1 of ($a,$b,$c,$d)
}// Multi-Channel Redundant Exfil: one process using several distinct egress channels
DeviceNetworkEvents
| where Timestamp > ago(1d) and RemoteIPType == "Public"
| summarize Channels=dcount(RemoteUrl), Protocols=make_set(RemotePort,10) by DeviceName, InitiatingProcessFileName, bin(Timestamp,30m)
| where Channels > 15
| project Timestamp, DeviceName, InitiatingProcessFileName, Channels, Protocols