Potential rootkit network activity missing from MDE

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Identifies outbound network connections logged by perimeter firewalls that are entirely missing from Microsoft Defender for Endpoint (MDE) telemetry. This discrepancy strongly indicates a threat actor operating in kernel space, to hide C2 traffic.

Attribute	Value
Type	Hunting Query
Solution	Standalone Content
ID	`564bf64a-bada-4c6b-8821-53138d660f78`
Tactics	DefenseEvasion, CommandAndControl, Exfiltration
Techniques	T1562.001, T1562.004, T1011
Required Connectors	MicrosoftThreatProtection, PaloAltoNetworks, Fortinet, Cisco, CheckPoint
Source	[View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Defense%20evasion/PotentialRootkitTrafficMissingFromMDE.yaml)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries