Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Microsoft Defender XDR |
| ID | e18109aa-f252-48ec-b115-1b7c16e1174f |
| Tactics | DefenseEvasion, Discovery, Execution |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
DeviceProcessEvents |
InitiatingProcessCommandLine endswith "127.0.0.1"InitiatingProcessCommandLine has "-a"InitiatingProcessCommandLine has "-nao"InitiatingProcessCommandLine has "-t"InitiatingProcessCommandLine has "/all"InitiatingProcessFileName in "explorer.exe,mobsync.exe" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊